WordPress Plugin Vulnerabilities

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.11.9 - Insecure Direct Object Reference to Update Membership Payment

Description

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.

Affects Plugins

Plugin icon
wc-multivendor-membership
Fixed in 2.11.9

References

CVE
CVE-2025-15147
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jing Xuan Sun
Verified
No
WPVDB ID
beb3839f-a60e-484f-b1e6-499422e86772

Timeline

Publicly Published
2026-02-09 (about 3 months ago)
Added
2026-02-09 (about 3 months ago)
Last Updated
2026-02-09 (about 3 months ago)

Other

Published
Title
Published
2024-11-20
Title
Button Block – Get fully customizable & multi-functional buttons < 1.1.5 - Authenticated (Contributor+) Post Disclosure
Published
2023-12-19
Title
WPDashboardNotes < 1.0.11 - Unauthorised Deletion of Private Notes
Published
2026-01-05
Title
AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover
Published
2024-05-30
Title
Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
Published
2025-04-14
Title
Projectopia <= 5.1.23 - Unauthenticated Privilege Escalation via Account Takeover