Description
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Published: 2026-02-09
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Update Plugin
AI Analysis

Impact

The WCFM – Frontend Manager for WooCommerce plugin omits a capability check in the WCFM_Settings_Controller::processing function, allowing any authenticated user with Shop Manager level or higher to modify plugin options. This flaw enables changing the default role for new registrations to administrator, giving attackers full control over the site.

Affected Systems

All versions of the WCFM – Frontend Manager for WooCommerce plugin up to and including 6.7.24, released by WCLovers, are affected. The vulnerability resides in the settings controller and core AJAX handler files referenced in the plugin’s repository.

Risk and Exploitability

The CVSS score of 7.2 reflects a high severity vulnerability that permits privilege escalation by authenticated users. The EPSS score is less than 1%, indicating low current exploitation probability, and the issue is not in the CISA KEV catalog. Attackers must be authenticated with Shop Manager or higher; no remote code execution or unauthenticated access is required. Nonetheless, the ability to arbitrarily update options poses a significant risk to site security when registration settings and user roles are not tightly controlled.

Generated by OpenCVE AI on April 15, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WCFM – Frontend Manager plugin to the latest version (≥6.7.25).
  • If an immediate upgrade is not possible, temporarily revoke Shop Manager permissions or disable the plugin until the patch is applied.
  • Audit user roles and capabilities, ensuring only users who truly need Shop Manager level have that role, and reset the default registration role to a non-admin setting.

Generated by OpenCVE AI on April 15, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
Wordpress
Wordpress wordpress
Vendors & Products Wclovers
Wclovers frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
Wordpress
Wordpress wordpress

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Title WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wclovers Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:30.345Z

Reserved: 2026-01-10T15:14:52.880Z

Link: CVE-2026-0845

cve-icon Vulnrichment

Updated: 2026-02-10T16:51:34.477Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T00:16:05.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:45:11Z

Weaknesses