CVE-2026-1722 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The flaw exists in the AJAX controller `wcfm-refund-requests-form`, which processes refund requests without verifying whether the requester is authorized to perform such actions. This lack of authorization checks allows unauthenticated attackers to submit refund requests for arbitrary order IDs and item IDs. If the plugin's settings enable automatic refund approval, these unauthorized refund requests can be processed without manual intervention, resulting in financial losses for vendors and marketplace operators. The vulnerability affects all versions up to and including 3.7.0. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The issue highlights a critical security design flaw where authorization controls are omitted in a sensitive transactional process, undermining the trustworthiness of refund operations within the marketplace environment.

For European organizations operating e-commerce platforms using WooCommerce with the WCFM Marketplace plugin, this vulnerability poses a direct financial risk. Attackers can exploit the missing authorization to generate fraudulent refund requests, potentially draining funds if automatic refund approval is enabled. This undermines the integrity of financial transactions and vendor trust. While confidentiality and availability remain unaffected, the integrity breach can disrupt business operations, cause revenue loss, and damage reputation. Small and medium-sized enterprises (SMEs) relying on automated refund workflows are particularly vulnerable. Additionally, marketplaces with multiple vendors may face disputes and increased administrative overhead to resolve fraudulent refunds. The risk is heightened in countries with widespread WooCommerce adoption and significant online retail sectors, where attackers may target high-volume platforms to maximize financial gain.

1. Immediately disable automatic refund approval in the WCFM Marketplace plugin settings to prevent unauthorized refunds from being processed automatically. 2. Apply strict authorization checks in the `wcfm-refund-requests-form` AJAX controller to ensure only authenticated and authorized users can submit refund requests. 3. Monitor refund request logs for unusual patterns, such as multiple refund requests from unauthenticated sources or for high-value orders. 4. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious refund request attempts targeting the vulnerable AJAX endpoint. 5. Keep the plugin updated and apply security patches as soon as they become available from the vendor. 6. Conduct regular security audits and penetration testing focusing on authorization controls in e-commerce workflows. 7. Educate marketplace vendors and administrators about the risks of enabling automatic refund approvals and encourage manual review processes until the vulnerability is fully remediated.