Does WCFM Membership – WooCommerce Memberships for Multivendor Marketplace have any unpatched vulnerabilities?

No. All known vulnerabilities in WCFM Membership – WooCommerce Memberships for Multivendor Marketplace have been patched as of the latest data update. Always keep the plugin updated to the latest version.

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Security & Risk Analysis

wordpress.org/plugins/wc-multivendor-membership

A simple woocommerce memberships plugin for offering free and premium subscription for your multi-vendor marketplace - WCFM Marketplace, WC Vendors &a …

10K active installs v2.11.9 PHP 5.6+ WP 4.4+ Updated Feb 7, 2026

membersmulti-vendormultivendor-marketplacesubscriptionwoocommerce-membership

B · Generally Safe

CVEs total5

Unpatched0

Last CVEFeb 9, 2026

Plugin page Download

Safety Verdict

Is WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Safe to Use in 2026?

Mostly Safe

Score 83/100

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace is generally safe to use. 5 past CVEs were resolved. Keep it updated.

5 known CVEsLast CVE: Feb 9, 2026Updated 1mo ago

Risk Assessment

The "wc-multivendor-membership" plugin v2.11.9 exhibits a mixed security posture. While the static analysis reveals strong adherence to secure coding practices, with 100% of SQL queries using prepared statements and a high percentage of outputs properly escaped, there are areas of concern. Notably, the presence of two unsanitized paths in the taint analysis, although not leading to critical or high severity vulnerabilities in this version, warrants careful attention as it indicates potential entry points for malicious input.

The plugin's vulnerability history is a significant red flag. With a total of 5 known CVEs, including 2 critical and 1 high severity, and past common vulnerability types like Authorization Bypass and Missing Authorization, it suggests a recurring pattern of security weaknesses. The fact that all previously disclosed vulnerabilities are currently patched is a positive sign, but the historical prevalence of severe issues implies a need for ongoing vigilance and robust testing.

In conclusion, while the current version's static analysis shows improved security controls, the plugin's past security record necessitates caution. The combination of historical severe vulnerabilities and the identified unsanitized paths in the taint analysis means that while the immediate risk in this specific version might be lower due to patched CVEs, the potential for future vulnerabilities should not be underestimated. Continuous monitoring and prompt application of updates are highly recommended.

Key Concerns

History of 2 critical CVEs
History of 1 high CVE
History of 2 medium CVEs
Flows with unsanitized paths (2)

Vulnerabilities

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Security Vulnerabilities

CVEs by Year

4 CVEs in 2023

2023

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

5 total CVEs

CVE-2025-15147medium · 4.3Authorization Bypass Through User-Controlled Key

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment

Feb 9, 2026 Patched in 2.11.9 (1d)

CVE-2023-2276critical · 9.8Authorization Bypass Through User-Controlled Key

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change

May 3, 2023 Patched in 2.11.0 (265d)

CVE-2022-4939critical · 9.8Missing Authorization

WCFM Membership <= 2.10.0 - Unauthenticated Privilege Escalation

Apr 5, 2023 Patched in 2.10.1 (293d)

CVE-2022-4941medium · 6.3Cross-Site Request Forgery (CSRF)

WCFM Membership <= 2.9.10 - Cross-Site Request Forgery

Apr 5, 2023 Patched in 2.10.0 (293d)

CVE-2022-4940high · 7.3Missing Authorization

WCFM Membership <= 2.10.0 - Missing Authorization

Apr 5, 2023 Patched in 2.10.1 (293d)

Code Analysis

Analyzed Mar 16, 2026

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

452 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared11 total queries

Output Escaping

88% escaped511 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

14 flows2 with unsanitized paths

processing (controllers\wcfmvm-controller-memberships.php:20)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Attack Surface

Entry Points21

Unprotected0

AJAX Handlers 18

noprivwp_ajax_wcfm_ajax_controllercore\class-wcfmvm-ajax.php:22

authwp_ajax_wcfm_choose_membershipcore\class-wcfmvm-ajax.php:25

noprivwp_ajax_wcfm_choose_membershipcore\class-wcfmvm-ajax.php:26

authwp_ajax_wcfmvm_vendor_approval_htmlcore\class-wcfmvm-ajax.php:29

authwp_ajax_wcfmvm_vendor_approval_response_updatecore\class-wcfmvm-ajax.php:32

authwp_ajax_wcfmvm_membership_cancelcore\class-wcfmvm-ajax.php:35

authwp_ajax_wcfmvm_membership_changecore\class-wcfmvm-ajax.php:38

authwp_ajax_delete_wcfm_membershipcore\class-wcfmvm-ajax.php:41

authwp_ajax_wcfmvm_change_next_renewal_htmlcore\class-wcfmvm-ajax.php:44

authwp_ajax_wcfmvm_change_next_renewalcore\class-wcfmvm-ajax.php:47

authwp_ajax_wcfmvm_email_verification_codecore\class-wcfmvm-ajax.php:50

noprivwp_ajax_wcfmvm_email_verification_codecore\class-wcfmvm-ajax.php:51

authwp_ajax_wcfmvm_sms_verification_codecore\class-wcfmvm-ajax.php:54

noprivwp_ajax_wcfmvm_sms_verification_codecore\class-wcfmvm-ajax.php:55

authwp_ajax_wcfmvm_store_slug_verificationcore\class-wcfmvm-ajax.php:58

noprivwp_ajax_wcfmvm_store_slug_verificationcore\class-wcfmvm-ajax.php:59

authwp_ajax_wcfm-memberships-payment-paypalcore\class-wcfmvm-ajax.php:61

authwp_ajax_wcfm_pay_for_productcore\class-wcfmvm-pay-for-product.php:29

Shortcodes 3

[wcfm_vendor_membership] core\class-wcfmvm-shortcode.php:18

[wcfm_vendor_registration] core\class-wcfmvm-shortcode.php:21

[wcfmvm_subscribe] core\class-wcfmvm-shortcode.php:24

WordPress Hooks 62

actionafter_wcfm_ajax_controllercore\class-wcfmvm-ajax.php:21

filterwcfm_is_allow_membershipcore\class-wcfmvm-capability.php:21

filterwoocommerce_email_classescore\class-wcfmvm-emails.php:17

filterwoocommerce_template_directorycore\class-wcfmvm-emails.php:19

actionpage_templatecore\class-wcfmvm-frontend.php:18

filterwcfm_query_varscore\class-wcfmvm-frontend.php:22

filterwcfm_endpoint_titlecore\class-wcfmvm-frontend.php:23

actioninitcore\class-wcfmvm-frontend.php:24

filterwcfm_settings_fields_pagescore\class-wcfmvm-frontend.php:27

filterwcfm_endpoints_slugcore\class-wcfmvm-frontend.php:30

filterwcfm_menuscore\class-wcfmvm-frontend.php:33

filterwcfm_menu_dependancy_mapcore\class-wcfmvm-frontend.php:34

actionafter_wcfm_vendors_manage_membership_detailscore\class-wcfmvm-frontend.php:40

actionwcfm_vendor_manage_membrship_detailscore\class-wcfmvm-frontend.php:41

actionwcfm_dashboard_after_usernamecore\class-wcfmvm-frontend.php:47

actionwcfm_vendor_setting_header_aftercore\class-wcfmvm-frontend.php:49

actionend_wcfm_user_profilecore\class-wcfmvm-frontend.php:50

actionend_wcfm_vendor_settingscore\class-wcfmvm-frontend.php:52

actionwcfm_product_limit_pay_for_product_aftercore\class-wcfmvm-frontend.php:59

actionwcfm_product_limit_reachedcore\class-wcfmvm-frontend.php:60

filterwcfm_message_typescore\class-wcfmvm-frontend.php:64

actionwoocommerce_thankyoucore\class-wcfmvm-frontend.php:67

filterwcfm_change_membership_urlcore\class-wcfmvm-frontend.php:70

filterwcfm_registration_thankyou_urlcore\class-wcfmvm-frontend.php:73

filterwcfmvm_is_allow_registration_firstcore\class-wcfmvm-frontend.php:76

actionwp_enqueue_scriptscore\class-wcfmvm-frontend.php:79

actionwp_enqueue_scriptscore\class-wcfmvm-frontend.php:81

actionwcfm_membership_registrationcore\class-wcfmvm-frontend.php:84

actionwcfm_load_scriptscore\class-wcfmvm-library.php:63

actionafter_wcfm_load_scriptscore\class-wcfmvm-library.php:64

actionwcfm_load_stylescore\class-wcfmvm-library.php:67

actionafter_wcfm_load_stylescore\class-wcfmvm-library.php:68

actionbefore_wcfm_load_viewscore\class-wcfmvm-library.php:72

filterplugin_row_metacore\class-wcfmvm-non-ajax.php:19

actionend_wcfm_membership_settings_formcore\class-wcfmvm-pay-for-product.php:18

actionwcfm_membership_settings_updatecore\class-wcfmvm-pay-for-product.php:19

filterwcfm_vendor_product_limitcore\class-wcfmvm-pay-for-product.php:23

actionwcfm_product_limit_reachedcore\class-wcfmvm-pay-for-product.php:26

actionwoocommerce_order_status_completedcore\class-wcfmvm-pay-for-product.php:33

filterwcfm_message_typescore\class-wcfmvm-pay-for-product.php:36

actionwcfm_load_scriptscore\class-wcfmvm-pay-for-product.php:39

actionafter_wcfm_load_scriptscore\class-wcfmvm-pay-for-product.php:40

actionwcfm_load_stylescore\class-wcfmvm-pay-for-product.php:43

actionafter_wcfm_load_stylescore\class-wcfmvm-pay-for-product.php:44

actioninitcore\class-wcfmvm.php:48

actionwcfm_initcore\class-wcfmvm.php:50

actionwoocommerce_loadedcore\class-wcfmvm.php:52

actioninitcore\class-wcfmvm.php:54

actionwpcore\class-wcfmvm.php:56

actionwcfmvm_membership_schedulercore\class-wcfmvm.php:58

filterwcfm_modulescore\class-wcfmvm.php:60

actionadmin_noticescore\class-wcfmvm.php:78

actionadmin_noticescore\class-wcfmvm.php:83

actionwoocommerce_order_status_processingcore\class-wcfmvm.php:132

actionwoocommerce_order_status_completedcore\class-wcfmvm.php:133

actionwoocommerce_subscription_status_changedcore\class-wcfmvm.php:136

actionwoocommerce_subscription_date_updatedcore\class-wcfmvm.php:139

actiondelete_usercore\class-wcfmvm.php:142

actionwcfm_membership_data_resetcore\class-wcfmvm.php:145

actionwoocommerce_after_my_accountcore\class-wcfmvm.php:155

actionwcfm_capability_settings_miscellaneousviews\wcfmvm-view-capability.php:22

actionbefore_woocommerce_initwc-multivendor-membership.php:44

Maintenance & Trust

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 7, 2026

PHP min version5.6

Downloads887K

Community Trust

Rating80/100

Number of ratings25

Active installs10K

Alternatives

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Alternatives

PG Sync for Klaviyo and Woo Memberships and Subscriptions

pg-sync-for-klaviyo-and-woo-memberships-and-subscriptions

100

This is a very lightweight plugin that synchs WooCommerce Memberships (and optionally Subscriptions) to Klaviyo.

0 No CVEs

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Build membership sites with tiered plans, content restriction, drag-&-drop custom registration & login form builder, and built-in payment system.

60K 29 CVEs

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

dokan-lite

Transform your WooCommerce site into a multivendor marketplace with Dokan – an AI powered & advanced WooCommerce marketplace solution

40K 7 CVEs

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

wc-frontend-manager

Vendor frontend store/shop manager for WC Marketplace, WC Vendors, WC Product Vendors & Dokan with Bookings, Listings & Subscriptions compatib …

20K 8 CVEs

WCFM Marketplace – Multivendor Marketplace for WooCommerce

wc-multivendor-marketplace

The most featured and powerful multi vendor plugin for WordPress, setup fantastic woocommerce marketplace store in minutes.

20K 1 unpatched

Developer Profile

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Developer Profile

WC Lovers

7 plugins · 52K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

210 days

View full developer profile

Detection Fingerprints

How We Detect WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wc-multivendor-membership/assets/js/wcfmvm-scripts.js/wp-content/plugins/wc-multivendor-membership/assets/css/wcfmvm-styles.css/wp-content/plugins/wc-multivendor-membership/assets/css/wcfmvm-responsive.css/wp-content/plugins/wc-multivendor-membership/assets/js/frontend/wcfmvm-frontend.js

Script Paths

/wp-content/plugins/wc-multivendor-membership/assets/js/wcfmvm-scripts.js/wp-content/plugins/wc-multivendor-membership/assets/js/frontend/wcfmvm-frontend.js

Version Parameters

wc-multivendor-membership/assets/js/wcfmvm-scripts.js?ver=wc-multivendor-membership/assets/css/wcfmvm-styles.css?ver=wc-multivendor-membership/assets/css/wcfmvm-responsive.css?ver=wc-multivendor-membership/assets/js/frontend/wcfmvm-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

wcfmvm_membership_detailswcfmvm_membership_planwcfmvm_membership_formwcfmvm_membership_tablewcfmvm_membership_wrapwcfmvm_vendor_membership

HTML Comments

+12 more

Data Attributes

data-wcfmvm_plan_iddata-wcfmvm_vendor_id

JS Globals

WCFMvm_frontend_params

REST Endpoints

/wp-json/wcfmvm/v1/membership/settings/wp-json/wcfmvm/v1/membership/plans/wp-json/wcfmvm/v1/membership/vendors/wp-json/wcfmvm/v1/membership/purchase/wp-json/wcfmvm/v1/membership/renew

Shortcode Output

[wcfm_vendor_membership]

FAQ