CVE-2025-15147
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to modify other users' membership payment data in the WCFM Membership plugin. Attackers can exploit missing validation on user-controlled parameters to manipulate payment records. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify payment records to grant unauthorized premium memberships, alter subscription statuses, or disrupt payment processing for other users.
Likely Case
Malicious users could upgrade their own membership levels without payment or modify other users' membership statuses.
If Mitigated
With proper user role restrictions and input validation, impact would be limited to authorized administrative actions only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a publicly accessible controller function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'WCFM Membership – WooCommerce Memberships for Multivendor Marketplace'
4. Click 'Update Now' if update is available
5. If no update appears, manually download version 2.11.9+ from WordPress.org
6. Deactivate, delete old version, upload new version, and activate
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate wc-multivendor-membership
Restrict User Registration
allTemporarily disable new user registration to limit attack surface
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement strict input validation and authorization checks in the processing function
- Add Web Application Firewall (WAF) rules to block suspicious parameter manipulation
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.11.8 or lower, you are vulnerable.Check Version:
wp plugin get wc-multivendor-membership --field=versionVerify Fix Applied:
Verify plugin version is 2.11.9 or higher. Test payment modification functionality with non-admin users to ensure proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unusual membership payment modifications from non-admin users
- Multiple failed authorization attempts on payment endpoints
- User role escalation without corresponding payment records
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=wcfmvm_memberships_payment_processing containing manipulated user IDs
SIEM Query:
source="wordpress.log" AND ("wcfmvm_memberships_payment_processing" OR "membership payment") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.11.8/controllers/wcfmvm-controller-memberships-payment.php#L32
- https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d?source=cve
