The WCFM – Frontend Manager for WooCommerce plugin contains an insecure direct object reference that allows an authenticated user with Vendor‑level permissions or higher to delete any user account by providing an arbitrary customer ID. The missing validation on the 'wcfm_delete_wcfm_customer' endpoint means that malicious actors can remove administrators or other critical users, leading to loss of access, service disruption, and potential escalation of privileges if the deleted accounts were used for further operations.

WordPress sites that have the WCFM – Frontend Manager for WooCommerce plugin from vendor wclovers installed in any version up to and including 6.7.25 are affected. The vulnerability exists in the core of the plugin that handles customer management for Store Owners, Vendors, and Administrators.

The CVSS score of 8.1 highlights a high severity impact and the vulnerability requires the attacker to be authenticated with Vendor‑level or higher privileges; it cannot be exploited unauthenticated. Though no current EPSS value is available, the lack of a publicly listed exploit does not reduce the risk, as the vulnerability allows the deletion of critical accounts. The identified weakness is CWE‑639, indicating insufficient authorization checks on user deletion. Attackers can craft a request to the vulnerable endpoint with any customer ID to remove that user, which could compromise site administration or lead to broader compromise if the user holds elevated roles.