CVE-2026-1722 is a vulnerability identified in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, affecting all versions up to and including 3.7.0. The root cause is the absence of authorization checks in the 'wcfm-refund-requests-form' AJAX controller, which handles refund requests. This flaw constitutes an Insecure Direct Object Reference (IDOR), categorized under CWE-862, where the system fails to verify whether the requester is authorized to create refund requests for specific order and item IDs. Because the AJAX endpoint does not require authentication or user interaction, an attacker can craft requests to generate arbitrary refund requests for any order in the system. If the plugin settings enable automatic refund approval, these unauthorized refund requests can be processed without manual oversight, potentially resulting in financial losses for merchants. The vulnerability impacts the integrity of the refund process but does not affect confidentiality or availability. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation (network vector, no privileges required, no user interaction) but limited impact scope (integrity only, no confidentiality or availability impact). No patches or known exploits are currently available, emphasizing the need for proactive mitigation by users of the plugin. This vulnerability is particularly critical for e-commerce sites relying on the WCFM Marketplace plugin, which is widely used in WooCommerce-based multivendor marketplaces.

The primary impact of CVE-2026-1722 is unauthorized creation of refund requests, which compromises the integrity of the refund process. If automatic refund approval is enabled, attackers can exploit this to cause direct financial losses by triggering refunds without merchant consent. This undermines trust in the e-commerce platform and can lead to revenue loss, increased chargebacks, and administrative overhead to reconcile fraudulent refunds. Although confidentiality and availability are not directly affected, the financial and reputational damage can be significant, especially for high-volume multivendor marketplaces. Organizations relying on this plugin without additional controls are vulnerable to fraud and abuse. The ease of exploitation (no authentication or user interaction required) increases the risk of widespread abuse if the vulnerability is publicly disclosed or exploited. The lack of known exploits currently provides a window for mitigation before active attacks emerge.

1. Immediately disable automatic refund approval in the WCFM Marketplace plugin settings to prevent unauthorized refunds from being processed automatically. 2. Apply any available patches or updates from the vendor once released; monitor vendor communications closely for security updates. 3. Implement web application firewall (WAF) rules to restrict access to the 'wcfm-refund-requests-form' AJAX endpoint, limiting requests to authenticated and authorized users only. 4. Monitor refund request logs for unusual or suspicious activity, such as refund requests from unknown IP addresses or for orders not associated with the requester. 5. Employ rate limiting on AJAX endpoints to reduce the risk of mass exploitation attempts. 6. Conduct a thorough audit of refund processes and consider adding manual approval steps if not already in place. 7. Educate staff and vendors on recognizing fraudulent refund activity and establish incident response procedures for suspected abuse. 8. Review and harden WordPress user roles and permissions to minimize exposure of sensitive AJAX endpoints. These steps go beyond generic advice by focusing on configuration changes, monitoring, and access controls specific to this vulnerability.