CVE-2026-42753

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.10 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.11.11
Patched in
4d
Time to patch

Description

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.11.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.11.10
PublishedMay 29, 2026
Last updatedJune 1, 2026

What Changed in the Fix

Changes introduced in v2.11.11

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

' ) ) { WC()->session->__unset( 'wcfm_membership_free_registration' ); } ``` If an attacker can manipulate the session, they can potentially trigger the `wcfmvm_after_choosing_membership` action which might perform other logic. Actually, look at the CVSS …

Show full research plan

' ) ) {
WC()->session->__unset( 'wcfm_membership_free_registration' );
}
```
If an attacker can manipulate the session, they can potentially trigger the wcfmvm_after_choosing_membership action which might perform other logic.

    Actually, look at the CVSS Vector `I:L`. Integrity Low.
    This usually means "I can change data I'm not supposed to, but it's not catastrophic".
    Setting my own membership plan in my session before registration fits this perfectly.

*   **Vulnerability Summary:** The `WCFMvm_Ajax::wcfm_choose_membership` function is vulnerable to missing authorization/nonce bypass. By providing the `method=by_url` parameter, an unauthenticated attacker can bypass the `wcfm_ajax_nonce` check and arbitrarily set the `wcfm_membership` session variable.
*   **Attack Vector:** `admin-ajax.php`.
*   **Parameters:** `action=wcfm_choose_membership`, `method=by_url`, `membership=[ID]`.
*   **Authorization:** Unauthenticated.

*   **Nonce Acquisition?**
    Since the goal is to show a *bypass*, the strategy should be:
    1. Attempt to call `wcfm_choose_membership` *without* a nonce and *without* `method=by_url`. (Expected failure).
    2. Attempt to call it *without* a

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.