WordPress Plugin Vulnerabilities

WCFM Marketplace < 3.7.1 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation

Description

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.

Affects Plugins

Plugin icon
wc-multivendor-marketplace
Fixed in 3.7.1

References

CVE
CVE-2026-1722
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d39ec46d-58c4-40e4-b94a-e7a9fc99291a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Gibran Abdillah
Verified
No
WPVDB ID
f3dd6643-c857-4f54-bb4e-d7704bd3a3b4

Timeline

Publicly Published
2026-02-09 (about 3 months ago)
Added
2026-02-09 (about 3 months ago)
Last Updated
2026-02-10 (about 3 months ago)

Other

Published
Title
Published
2024-04-22
Title
Integrate Google Drive < 1.3.91 - Missing Authorization
Published
2024-09-30
Title
KB Support < 1.6.7 - Unauthenticated Ticket Reply Exposure
Published
2024-10-07
Title
Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.22 - Missing Authorization to Authenticated (Subscriber+) Private Gallery Title Disclosure
Published
2025-06-19
Title
Kata Plus < 1.5.4 - Missing Authorization
Published
2025-12-07
Title
Contact Form by BestWebSoft < 4.3.7 - Missing Authorization