{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15147", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-27T13:25:09.137Z", "datePublished": "2026-02-09T23:23:28.319Z", "dateUpdated": "2026-04-08T17:21:40.486Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:40.486Z"}, "affected": [{"vendor": "wclovers", "product": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.11.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments."}], "title": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.11.8/controllers/wcfmvm-controller-memberships-payment.php#L32"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jing Xuan Sun"}], "timeline": [{"time": "2026-02-03T12:31:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-09T11:17:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:47:21.782233Z", "id": "CVE-2025-15147", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:47:58.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15147", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:47:21.782233Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:47:55.555Z"}}], "cna": {"title": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment", "credits": [{"lang": "en", "type": "finder", "value": "Jing Xuan Sun"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wclovers", "product": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.11.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T12:31:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-09T11:17:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.11.8/controllers/wcfmvm-controller-memberships-payment.php#L32"}], "descriptions": [{"lang": "en", "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:40.486Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15147", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:40.486Z", "dateReserved": "2025-12-27T13:25:09.137Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-09T23:23:28.319Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments."}, {"lang": "es", "value": "El plugin WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 2.11.8 (inclusive), a trav\u00e9s de 'WCFMvm_Memberships_Payment_Controller::processing' debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, modificar los pagos de membres\u00eda de otros usuarios."}], "id": "CVE-2025-15147", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-10T00:16:04.407", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.11.8/controllers/wcfmvm-controller-memberships-payment.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.8]"}}], "product": "wcfm_membership_\u2013_woocommerce_memberships_for_multivendor_marketplace", "vendor": "wclovers"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-20T20:55:58.196721+00:00", "value": {"mitigation_remediation": ["Upgrade the WCFM Membership plugin to the latest version that contains the IDOR fix or apply any vendor\u2010supplied patch if available.", "Restrict the Subscriber role so it no longer has permission to invoke the payment controller or modify membership payments; grant this ability only to higher roles such as Editor or Administrator.", "Enable or review WordPress audit logs and monitoring for unauthorized changes to payment records, investigating any anomalies promptly."], "summary": {"action": "Update Plugin", "impact": "Insecure Direct Object Reference enabling modification of other users' membership payments"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin version 2.11.8 or older are affected. The plugin is developed and maintained by WCLovers.\n", "description_and_impact": "The flaw is an IDOR in the WCFM Membership plugin that allows a user to alter any other customer\u2019s payment record by supplying a tampered identifier to the payment controller. This violates data integrity, potentially enabling unauthorized changes to membership billing, fraud, or service disruption. It is a moderate risk flaw with a CVSS score of 4.3 because it only compromises account integrity and requires an authenticated user.\n", "risk_and_exploitability": "The vulnerability can only be exploited by an authenticated user with at least a Subscriber role, meaning the attacker must have or compromise a legitimate account. No remote code execution or privileged escalation is involved. The EPSS score of less than 1% indicates a very low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack path is simple: send a crafted request to the payment processing endpoint without proper ownership validation. The CVSS score reflects the moderate impact and limited attacker capability."}}}}, "created": "2026-02-10T21:42:12.680264+00:00", "updated": "2026-04-20T21:00:12.964735+00:00", "vendors": ["wclovers", "wclovers$PRODUCT$wcfm_membership_\u2013_woocommerce_memberships_for_multivendor_marketplace", "wordpress", "wordpress$PRODUCT$wordpress"]}