CVE-2026-1722
📋 TL;DR
This vulnerability allows unauthenticated attackers to create arbitrary refund requests for any order in WCFM Marketplace plugin for WordPress. Attackers can exploit this to cause financial loss if automatic refund approval is enabled. All WordPress sites using WCFM Marketplace plugin versions up to 3.7.0 are affected.
💻 Affected Systems
- WCFM Marketplace – Multivendor Marketplace for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete financial loss through unauthorized refunds if automatic approval is enabled, potentially bankrupting the business.
Likely Case
Unauthorized refunds for specific orders, causing financial loss and administrative overhead to investigate and reverse fraudulent transactions.
If Mitigated
No impact if automatic refund approval is disabled and manual review catches unauthorized requests.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WCFM Marketplace plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.7.1+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Automatic Refund Approval
allPrevents automatic processing of refund requests, requiring manual review.
Restrict AJAX Endpoint Access
linuxBlock access to the vulnerable AJAX controller via web application firewall or .htaccess.
# Add to .htaccess
<Files "admin-ajax.php">
Order allow,deny
Deny from all
</Files>
# Then selectively allow only necessary AJAX actions
🧯 If You Can't Patch
- Disable the WCFM Marketplace plugin immediately
- Implement strict monitoring of refund transactions and review all refund requests manually
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WCFM Marketplace. If version is 3.7.0 or lower, you are vulnerable.Check Version:
wp plugin list --name="WCFM Marketplace" --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.7.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wcfm_refund_requests
- Unusual refund activity from unauthenticated IP addresses
- Refund requests for order IDs not associated with the requesting user
Network Indicators:
- HTTP POST requests to admin-ajax.php with wcfm_refund_requests parameter from external IPs
- Unusual volume of refund-related API calls
SIEM Query:
source="web_logs" action="POST" uri="/wp-admin/admin-ajax.php" parameters="action=wcfm_refund_requests" | stats count by src_ip🔗 References
- https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.0/core/class-wcfmmp-refund.php#L235
- https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/trunk/core/class-wcfmmp-refund.php#L235
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455829%40wc-multivendor-marketplace%2Ftrunk&old=3424081%40wc-multivendor-marketplace%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d39ec46d-58c4-40e4-b94a-e7a9fc99291a?source=cve
