cleantalk
Vulnerabilities and Security Researches

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce, CVE-2026-1722

CVE, Research URL

CVE-2026-1722

Home page URL

Security reports for WCFM Marketplace – Best Multivendor Marketplace for WooCommerce

Application

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce

Published on
Feb 10, 2026
Research Description
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.
Affected versions
max 3.7.1.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
WP Accessibility (CVE-2026-2362) , Apr 15, 2026
Community Events (CVE-2026-2429) , Apr 15, 2026
3D FlipBook – PDF Flipbook WordPress (CVE-2026-1314) , Apr 15, 2026
Responsive Contact Form Builder & Lead Generation Plugin (CVE-2026-1454) , Apr 15, 2026
wpForo Forum (CVE-2026-1581) , Apr 15, 2026