A vulnerability classified as critical was found in wclovers WCFM Membership Plugin up to 2.11.10. This affects the function wcfmvm_membership_change of the component AJAX Action. The manipulation results in improper control of resource identifiers.

This vulnerability is cataloged as CVE-2026-3688. The attack may be launched remotely. There is no exploit available.