PatchSiren cyber security CVE debrief
CVE-2026-3688 wclovers CVE debrief
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress has a vulnerability that allows authenticated attackers with vendor level access to change user roles. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. The vulnerability has a high CVSS score of 8.1 and is considered a high priority due to its potential impact. Users of the plugin should verify and update to the latest version.
- Vendor
- wclovers
- Product
- WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress should verify and update to the latest version. This includes administrators, security teams, and operators who manage the affected plugin. They should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The plugin is vulnerable to Insecure Direct Object Reference due to the 'wcfmvm_membership_change' AJAX action not validating user permissions. This allows authenticated attackers with vendor level access to change any user's role. The vulnerability has a high CVSS score of 8.1 and is considered a high priority. The affected product is the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress.
Defensive priority
High priority due to the high CVSS score of 8.1 and the potential for attackers to change user roles.
Recommended defensive actions
- Update to the latest version of WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin
- Restrict access to the 'wcfmvm_membership_change' AJAX action
- Monitor user role changes and authentication events
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference. Evidence from the CVE record and NVD detail suggests that the vulnerability exists in all versions up to 2.11.10. The 'wcfmvm_membership_change' AJAX action does not validate user permission to modify other users, allowing authenticated attackers with vendor level access and above to change any user's role to 'wcfm_vendor'. The CVE record was published on 2026-07-08T12:17:20.430Z and has not been modified since then. Defenders should verify the affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:20.430Z and has not been modified since then.