PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3688 wclovers CVE debrief

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress has a vulnerability that allows authenticated attackers with vendor level access to change user roles. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. The vulnerability has a high CVSS score of 8.1 and is considered a high priority due to its potential impact. Users of the plugin should verify and update to the latest version.

Vendor
wclovers
Product
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress should verify and update to the latest version. This includes administrators, security teams, and operators who manage the affected plugin. They should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The plugin is vulnerable to Insecure Direct Object Reference due to the 'wcfmvm_membership_change' AJAX action not validating user permissions. This allows authenticated attackers with vendor level access to change any user's role. The vulnerability has a high CVSS score of 8.1 and is considered a high priority. The affected product is the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress.

Defensive priority

High priority due to the high CVSS score of 8.1 and the potential for attackers to change user roles.

Recommended defensive actions

  • Update to the latest version of WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin
  • Restrict access to the 'wcfmvm_membership_change' AJAX action
  • Monitor user role changes and authentication events
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference. Evidence from the CVE record and NVD detail suggests that the vulnerability exists in all versions up to 2.11.10. The 'wcfmvm_membership_change' AJAX action does not validate user permission to modify other users, allowing authenticated attackers with vendor level access and above to change any user's role to 'wcfm_vendor'. The CVE record was published on 2026-07-08T12:17:20.430Z and has not been modified since then. Defenders should verify the affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:20.430Z and has not been modified since then.