CVE-2025-49265 PUBLISHED

WordPress Membership For WooCommerce <= 2.8.1 - Broken Access Control Vulnerability

Assigner: Patchstack
Reserved: 04.06.2025 Published: 09.06.2025 Updated: 09.06.2025

Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.8.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WP Swings
Product	Membership For WooCommerce
Versions	Default: unaffected affected from n/a to 2.8.1 (incl.)

Solutions

Update the WordPress Membership For WooCommerce plugin to the latest available version (at least 2.8.2).

Credits

timomangcut (Patchstack Alliance) finder

References

https://patchstack.com/database/wordpress/plugin/membership-for-woocommerce/vulnerability/wordpress-membership-for-woocommerce-2-8-1-broken-access-control-vulnerability?_s_id=cve

Problem Types

CWE-862 Missing Authorization CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs