2 matches found
CVE-2026-3688 WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...
CVE-2026-3688
The CVE concerns the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress. Affected: all versions up to 2.11.10. Root cause: the wcfmvm_membership_change AJAX action does not validate a user’s permission to modify other users, enabling an authenticated vendor...