CVE-2026-1722: WCFM Marketplace Auth Bypass Vulnerability

CVE-2026-1722 Overview

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 3.7.0. The vulnerability exists due to missing authorization checks in the wcfm-refund-requests-form AJAX controller, allowing unauthenticated attackers to create arbitrary refund requests for any order ID and item ID. This vulnerability could lead to significant financial losses for e-commerce sites, particularly those with automatic refund approval enabled in their plugin settings.

Critical Impact
Unauthenticated attackers can submit fraudulent refund requests for any order, potentially causing direct financial losses to marketplace vendors and operators when automatic refund approval is enabled.

Affected Products

WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin versions ≤ 3.7.0
WordPress installations running vulnerable WCFM Marketplace versions
WooCommerce-based multivendor marketplaces using WCFM

Discovery Timeline

2026-02-10 - CVE-2026-1722 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-1722

Vulnerability Analysis

This Insecure Direct Object Reference vulnerability (CWE-862: Missing Authorization) affects the WCFM Marketplace plugin's refund request functionality. The core issue lies in the wcfm-refund-requests-form AJAX controller within the class-wcfmmp-refund.php file, which fails to implement proper authorization checks before processing refund requests.

When a refund request is submitted through this AJAX endpoint, the application does not verify whether the requesting user has legitimate access to the order or item being referenced. This allows any unauthenticated user to craft malicious requests targeting arbitrary order IDs and item IDs within the marketplace.

The vulnerability is particularly dangerous in configurations where automatic refund approval is enabled, as attackers can potentially trigger immediate financial transactions without any manual review process. Even in manual approval scenarios, a high volume of fraudulent refund requests could overwhelm administrators and potentially slip through during processing.

Root Cause

The root cause of this vulnerability is the absence of authorization checks in the AJAX handler responsible for processing refund requests. The vulnerable code in class-wcfmmp-refund.php at line 235 processes incoming refund request parameters without first validating that the requesting user:

Is authenticated to the WordPress system
Has ownership or administrative rights over the referenced order
Has permission to request refunds for the specified item

This represents a fundamental failure to implement the principle of least privilege, where the application assumes all incoming requests are legitimate rather than enforcing access controls.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the WordPress AJAX endpoint with the wcfm-refund-requests-form action. The attacker would enumerate or guess valid order IDs and item IDs to submit fraudulent refund requests.

The attack flow typically involves:

Identifying a WordPress site running the vulnerable WCFM Marketplace plugin
Crafting an AJAX POST request to /wp-admin/admin-ajax.php with the vulnerable action
Including arbitrary order ID and item ID parameters in the request
Submitting the request without any authentication credentials

If automatic refund processing is enabled, the refund may be processed immediately. For technical details on the vulnerable code, refer to the WordPress Plugin Code Reference.

Detection Methods for CVE-2026-1722

Indicators of Compromise

Unusual spike in refund requests, particularly from unauthenticated sessions or unfamiliar IP addresses
Multiple refund requests for different orders originating from the same source IP in a short timeframe
Refund requests submitted for orders that don't belong to the requesting user session
Anomalous patterns in wp-admin/admin-ajax.php POST requests with wcfm-refund-requests-form action

Detection Strategies

Monitor web application firewall (WAF) logs for POST requests to admin-ajax.php containing wcfm-refund-requests-form action parameter from unauthenticated sessions
Implement rate limiting on the AJAX endpoint to detect and block enumeration attempts
Configure alerting for refund requests that fail order ownership validation
Review access logs for bulk requests to the refund endpoint from single IP addresses

Monitoring Recommendations

Enable detailed logging for all WCFM Marketplace refund-related actions
Set up alerts for any refund requests processed without corresponding authenticated user sessions
Implement anomaly detection for refund request volumes that exceed normal baseline activity
Monitor financial reconciliation reports for unexpected refund patterns

How to Mitigate CVE-2026-1722

Immediate Actions Required

Update the WCFM Marketplace plugin to a version newer than 3.7.0 that includes the security fix
Disable automatic refund approval in plugin settings until the patch is applied
Review recent refund requests for any suspicious or unauthorized activity
Implement WAF rules to block unauthenticated requests to the vulnerable AJAX endpoint

Patch Information

The vulnerability has been addressed in versions after 3.7.0. The fix implements proper authorization checks before processing refund requests. The patch can be reviewed in the WordPress Plugin Change Set.

For additional vulnerability details, refer to the Wordfence Vulnerability Report.

Workarounds

Temporarily disable the WCFM Marketplace refund functionality until the patch can be applied
Configure your web application firewall to require authentication for requests to admin-ajax.php with the wcfm-refund-requests-form action
Implement server-level access restrictions on the AJAX endpoint for unauthenticated users
Set up manual review requirements for all refund requests regardless of plugin settings

bash

# Apache .htaccess rule to block unauthenticated AJAX refund requests
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=wcfm-refund-requests-form [OR]
RewriteCond %{HTTP:X-Requested-With} !^XMLHttpRequest$
RewriteRule ^ - [F,L]
</IfModule>

CVE-2026-1722 Overview

Critical Impact
Unauthenticated attackers can submit fraudulent refund requests for any order, potentially causing direct financial losses to marketplace vendors and operators when automatic refund approval is enabled.

Affected Products

WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin versions ≤ 3.7.0
WordPress installations running vulnerable WCFM Marketplace versions
WooCommerce-based multivendor marketplaces using WCFM

Discovery Timeline

2026-02-10 - CVE-2026-1722 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-1722

Vulnerability Analysis

Root Cause

Is authenticated to the WordPress system
Has ownership or administrative rights over the referenced order
Has permission to request refunds for the specified item

This represents a fundamental failure to implement the principle of least privilege, where the application assumes all incoming requests are legitimate rather than enforcing access controls.

Attack Vector

The attack flow typically involves:

Identifying a WordPress site running the vulnerable WCFM Marketplace plugin
Crafting an AJAX POST request to /wp-admin/admin-ajax.php with the vulnerable action
Including arbitrary order ID and item ID parameters in the request
Submitting the request without any authentication credentials

If automatic refund processing is enabled, the refund may be processed immediately. For technical details on the vulnerable code, refer to the WordPress Plugin Code Reference.

Detection Methods for CVE-2026-1722

Indicators of Compromise

Unusual spike in refund requests, particularly from unauthenticated sessions or unfamiliar IP addresses
Multiple refund requests for different orders originating from the same source IP in a short timeframe
Refund requests submitted for orders that don't belong to the requesting user session
Anomalous patterns in wp-admin/admin-ajax.php POST requests with wcfm-refund-requests-form action

Detection Strategies

Monitor web application firewall (WAF) logs for POST requests to admin-ajax.php containing wcfm-refund-requests-form action parameter from unauthenticated sessions
Implement rate limiting on the AJAX endpoint to detect and block enumeration attempts
Configure alerting for refund requests that fail order ownership validation
Review access logs for bulk requests to the refund endpoint from single IP addresses

Monitoring Recommendations

Enable detailed logging for all WCFM Marketplace refund-related actions
Set up alerts for any refund requests processed without corresponding authenticated user sessions
Implement anomaly detection for refund request volumes that exceed normal baseline activity
Monitor financial reconciliation reports for unexpected refund patterns

How to Mitigate CVE-2026-1722

Immediate Actions Required

Update the WCFM Marketplace plugin to a version newer than 3.7.0 that includes the security fix
Disable automatic refund approval in plugin settings until the patch is applied
Review recent refund requests for any suspicious or unauthorized activity
Implement WAF rules to block unauthenticated requests to the vulnerable AJAX endpoint

Patch Information

For additional vulnerability details, refer to the Wordfence Vulnerability Report.

Workarounds

Temporarily disable the WCFM Marketplace refund functionality until the patch can be applied
Configure your web application firewall to require authentication for requests to admin-ajax.php with the wcfm-refund-requests-form action
Implement server-level access restrictions on the AJAX endpoint for unauthenticated users
Set up manual review requirements for all refund requests regardless of plugin settings

bash

# Apache .htaccess rule to block unauthenticated AJAX refund requests
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=wcfm-refund-requests-form [OR]
RewriteCond %{HTTP:X-Requested-With} !^XMLHttpRequest$
RewriteRule ^ - [F,L]
</IfModule>

CVE-2026-1722: WCFM Marketplace Auth Bypass Vulnerability

CVE-2026-1722 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-1722

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-1722

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-1722

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-1722: WCFM Marketplace Auth Bypass Vulnerability

CVE-2026-1722 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-1722

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-1722

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-1722

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform