WCFM Membership Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress. This vulnerability exists in all versions up to and including 2.11.8. The issue arises in the 'WCFMvm_Memberships_Payment_Controller::processing' method, where there is a lack of proper validation on a user-controlled key. As a result, authenticated attackers with Subscriber-level access or higher can manipulate other users' membership payments.

Impact

Exploitation of this vulnerability allows for unauthorized modification of users' membership payment details.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'WCFMvm_Memberships_Payment_Controller::processing' method. The request must include a manipulated user ID that the attacker wishes to modify, bypassing the missing validation. This can be done through a custom script or a plugin that interacts with the WordPress REST API, targeting the specific endpoint that handles membership payments.

Remediation

Users are advised to update the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin to version 2.11.9, which addresses the IDOR vulnerability by implementing the necessary validation on user IDs.