PT-2026-7240 · WordPress+1 · Wcfm Marketplace+1
Gibran Abdillah
·
Publicado
2026-02-10
·
Atualizado
2026-02-10
·
CVE-2026-1722
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin versions prior to 3.7.1
Description
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. The plugin does not implement proper authorization checks within the
wcfm-refund-requests-form AJAX controller. This allows unauthenticated attackers to generate refund requests for any order ID and item ID. If automatic refund approval is enabled, this could result in financial loss. The vulnerable component allows attackers to bypass authorization controls and directly access and manipulate refund requests.Recommendations
Update the plugin to a version prior to 3.7.1.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Wcfm Marketplace
Woocommerce