WCFM Marketplace
Moderate fix1 remedy
cpe:2.3:a:wclovers:wcfm_marketplace:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.7.0
WCFM Marketplace Insecure Direct Object Reference Vulnerability Allowing Arbitrary Refund Requests
Vulnerability
Patched
A vulnerability exists in the WCFM Marketplace - Multivendor Marketplace for WooCommerce plugin for WordPress, specifically in versions up to and including 3.7.0. The issue arises from the absence of proper authorization checks in the 'wcfm-refund-requests-form' AJAX controller. This flaw enables unauthenticated attackers to create arbitrary refund requests for any order ID and item ID. If the plugin is configured to automatically approve refunds, this vulnerability could result in financial losses.
Impact
Exploitation of this vulnerability could lead to unauthorized refund requests being created, potentially causing financial loss to the affected party, especially if automatic refund approval is enabled in the plugin settings.
Remediation
Users can update to version 3.7.1 or a newer patched version to address this vulnerability.
Added: Feb 10, 2026, 3:06 PM
Updated: Feb 10, 2026, 3:43 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
7.5remediation
7.7relevance
2.8threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.