Wclovers Wclovers

  1. Vendors
  2. Wclovers

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Wclovers product.

RSS Feeds for Wclovers security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Wclovers products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Wclovers Sorted by Most Security Vulnerabilities since 2018

Wclovers Frontend Manager Woocommerce Along With Bookings Subscription Listings Compatible6 vulnerabilities

Wclovers Wcfm Marketplace5 vulnerabilities

Wclovers Wcfm Membership4 vulnerabilities

Wclovers Woocommerce Multivendor Marketplace1 vulnerability

By the Year

In 2026 there have been 5 vulnerabilities in Wclovers with an average score of 6.6 out of ten. Last year, in 2025 Wclovers had 3 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.63.




Year Vulnerabilities Average Score
2026 5 6.60
2025 3 5.97
2024 3 7.43
2023 9 7.52
2022 0 0.00
2021 2 9.30

It may take a day or so for new Wclovers vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Wclovers Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-2554 May 02, 2026
Insecure Direct Object Reference: WCFM Delete Customer (6.7.25) The WCFM Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
CVE-2026-4896 Apr 04, 2026
IDOR in WCFM Frontend Manager 6.7.25 Vendor-level can delete any product/order The WCFM Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
CVE-2026-1722 Feb 10, 2026
WCFM Marketplace <3.7.0 IDOR via wcfm-refund-requests-form The WCFM Marketplace Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.
CVE-2026-0845 Feb 09, 2026
WCFM 6.7.24: Cap Check Bypass Enables Priv Esc via Settings Update The WCFM Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVE-2025-15147 Feb 09, 2026
WCFM Membership <2.11.8 - IDOR in Payment Ctrl lets Subs to alter users payments The WCFM Membership WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
CVE-2025-64631 Dec 16, 2025
Missing Auth in WC Lovers WCFM Marketplace (<=3.6.15) Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.
Wcfm Marketplace
CVE-2025-3780 Jul 09, 2025
Unauth data modification in WCFM Frontend Manager <=6.7.16 The WCFM Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
Frontend Manager Woocommerce Along With Bookings Subscription Listings Compatible
CVE-2025-1311 Mar 22, 2025
SQL Injection via 'id' param in WooCommerce MV Marketplace API plugin (<=1.6.2) The WooCommerce Multivendor Marketplace REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-8290 Sep 25, 2024
IDOR via Missing ID Validation in WCFM Frontend Manager <= 6.7.12 The WCFM Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
Frontend Manager Woocommerce Along With Bookings Subscription Listings Compatible
CVE-2024-44009 Sep 17, 2024
WCFM Marketplace 3.6.10 Reflected XSS via Unescaped Input Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through <= 3.6.11.
Wcfm Marketplace
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.