WordPress Security Bulletin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace Vulnerability (CVE-2025-15147)

On this page

Security Alert Summary

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin contains an insecure direct object reference (IDOR) vulnerability that allows authenticated users with Subscriber-level access and above to modify other users’ membership payments. The issue is caused by missing validation on a user-controlled key in the plugin’s payment processing controller.


CVE Details

  • CVE ID: CVE-2025-15147
  • Affected component: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress
  • Affected versions: All versions up to, and including, 2.11.8
  • Published: February 10, 2026 at 12:16 AM UTC
  • Last modified: February 10, 2026 at 3:22 PM UTC
  • CVSS v3.1: Base Score 4.3 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / Privileges / User interaction: Privileges Required: Low (authenticated user). The CVE description specifies authenticated attackers with Subscriber-level access and above. User Interaction: None.
  • Primary impact: Integrity: Low. Confidentiality: None. Availability: None.
  • Weakness (CWE): CWE-639 (Unchecked Error Condition / Insecure Direct Object Reference)

Technical Details

This vulnerability is an Insecure Direct Object Reference (IDOR) in the plugin’s payment processing code. According to the CVE description, the issue exists in WCFMvm_Memberships_Payment_Controller::processing due to missing validation on a user-controlled key. Because the controller does not properly validate or authorize the identifier provided by the user, an authenticated user with low privileges (for example, a Subscriber) can influence which membership payment record is acted upon and thereby modify another user’s membership payment.

The direct cause is a lack of validation/authorization checks on the user-supplied key used to select or modify payment records in the processing routine. No REST endpoints other than the named processing function are specified in the CVE entry.


How This Could Impact Your Website

Consider a site with multiple roles: the site owner, internal staff who manage memberships, and external contributors or contractors. An attacker with Subscriber-level access could alter other users’ membership payment records. Practical consequences include inaccurate billing records, unintended changes to membership statuses, or disruption to normal membership management workflows.

For example, a contractor with a Subscriber account could modify payment entries for other members, which may require time and effort from staff to detect and correct billing inconsistencies. While the CVSS data indicates a primary impact to integrity (not confidentiality or availability), altered membership payment data can still have financial and operational effects.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed or patched version.)
  • Review and reduce unnecessary user roles and capabilities, especially for contributors and subscribers.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce your attack surface.
  • Monitor site activity and membership-related logs for unusual behavior or unexpected changes to payment records.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References