Vulnerabilities and security researches forwc-multivendor-membership wc-multivendor-membership

Feb 27, 2026

CVE, Research URL: CVE-2025-15147
Home page URL: Security reports for WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Application: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Date: Feb 10, 2026
Research Description: The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
Affected versions: max 2.11.9.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-2276
Home page URL: Security reports for WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Application: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Date: May 20, 2023
Research Description: The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
Affected versions: max 2.11.0.
Status: vulnerable

CVE, Research URL: CVE-2022-4939
Home page URL: Security reports for WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Application: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Date: Apr 06, 2023
Research Description: THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can then register as an administrator.
Affected versions: max 2.10.1.
Status: vulnerable

CVE, Research URL: CVE-2022-4940
Home page URL: Security reports for WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Application: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Date: Apr 06, 2023
Research Description: The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.
Affected versions: max 2.10.1.
Status: vulnerable

CVE, Research URL: CVE-2022-4941
Home page URL: Security reports for WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Application: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Date: Apr 06, 2023
Research Description: The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.
Affected versions: max 2.10.1.
Status: vulnerable