First published: Sat May 20 2023(Updated: )
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Wclovers Wcfm Membership | <=2.10.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2023-2276.
The severity of CVE-2023-2276 is critical with a severity score of 9.8.
CVE-2023-2276 allows attackers to bypass authorization and access objects in the WCFM Membership plugin for WordPress.
Versions up to and including 2.10.7 of the WCFM Membership plugin are affected by CVE-2023-2276.
Yes, you can find references for CVE-2023-2276 [here](https://lana.codes/lanavdb/3a841453-d083-4f97-a7f1-b398c7304284/), [here](https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.10.7/controllers/wcfmvm-controller-memberships-registration.php#L124), and [here](https://plugins.trac.wordpress.org/changeset/2907455/).