WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.10 - Missing Authorization
Description
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.11.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.11.10What Changed in the Fix
Changes introduced in v2.11.11
Source Code
WordPress.org SVN' ) ) { WC()->session->__unset( 'wcfm_membership_free_registration' ); } ``` If an attacker can manipulate the session, they can potentially trigger the `wcfmvm_after_choosing_membership` action which might perform other logic. Actually, look at the CVSS …
Show full research plan
' ) ) {
WC()->session->__unset( 'wcfm_membership_free_registration' );
}
```
If an attacker can manipulate the session, they can potentially trigger the wcfmvm_after_choosing_membership action which might perform other logic.
Actually, look at the CVSS Vector `I:L`. Integrity Low.
This usually means "I can change data I'm not supposed to, but it's not catastrophic".
Setting my own membership plan in my session before registration fits this perfectly.
* **Vulnerability Summary:** The `WCFMvm_Ajax::wcfm_choose_membership` function is vulnerable to missing authorization/nonce bypass. By providing the `method=by_url` parameter, an unauthenticated attacker can bypass the `wcfm_ajax_nonce` check and arbitrarily set the `wcfm_membership` session variable.
* **Attack Vector:** `admin-ajax.php`.
* **Parameters:** `action=wcfm_choose_membership`, `method=by_url`, `membership=[ID]`.
* **Authorization:** Unauthenticated.
* **Nonce Acquisition?**
Since the goal is to show a *bypass*, the strategy should be:
1. Attempt to call `wcfm_choose_membership` *without* a nonce and *without* `method=by_url`. (Expected failure).
2. Attempt to call it *without* a
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.