Description
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
Published: 2025-07-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Modification
Action: Apply Patch
AI Analysis

Impact

The WCFM – Frontend Manager for WooCommerce plugin contains a missing capability check on the wcfm_redirect_to_setup function. As a result, an attacker who does not have any authentication or authorization can view and alter the plugin's settings, including payment details and API keys. This breach allows modification of critical configuration data.

Affected Systems

The vulnerability is present in the WCFM plugin from wclovers, specifically the Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible version 6.7.16 and earlier. No other versions are known to be affected, and no detailed version range beyond 6.7.16 is provided.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is a remote web request to the plugin's setup endpoint, which does not require user authentication, as inferred from the description. An attacker can exploit this to view or change the plugin settings, including payment configurations and API keys.

Generated by OpenCVE AI on April 28, 2026 at 01:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WCFM plugin to version 6.7.17 or newer, which removes the missing capability check.
  • Limit access to the plugin’s settings page by IP or by restricting it to administrators with appropriate roles, thereby blocking unauthenticated requests.
  • If payment details or API keys are suspected to have been compromised, rotate them immediately to invalidate any potential unauthorized access.

Generated by OpenCVE AI on April 28, 2026 at 01:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20756 The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
History

Thu, 17 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
CPEs cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
Vendors & Products Wclovers
Wclovers frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00044}

 epss

{'score': 0.00059}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00044}

Wed, 09 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Jul 2025 23:30:00 +0000

Type Values Removed Values Added
Description The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
Title WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wclovers Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:46.567Z

Reserved: 2025-04-17T19:51:29.910Z

Link: CVE-2025-3780

cve-icon Vulnrichment

Updated: 2025-07-09T13:15:31.453Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-09T00:15:39.570

Modified: 2025-07-17T13:34:21.007

Link: CVE-2025-3780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:15:15Z

Weaknesses