Description
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
Published: 2026-04-04
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of orders, posts, and products
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the WooCommerce Frontend Manager allows authenticated users who possess Vendor-level or higher access privileges to perform arbitrary modifications on orders, posts, pages, and products through several AJAX actions, including wcfm_modify_order_status, delete_wcfm_article, delete_wcfm_product, and the article management controller. This weakness is a classic example of insecure direct object reference (CWE-639) where user-supplied identifiers are not properly validated, enabling the attacker to change data that they do not own. Consequences include tampering with order status, deleting or altering content, and potentially compromising business transactions and data integrity.

Affected Systems

The affected vendor is wclovers and the product is the WooCommerce Frontend Manager (WCFM). All released versions up to and including 6.7.25 are vulnerable, with the issue present in the core plugin as well as in the integrated Bookings Subscription Listings plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, marking it as high severity. Exploitation requires authenticated access at the Vendor level or higher, which is typically granted to trusted users such as store managers. Given the simplicity of the AJAX interactions, successful exploitation is likely if an attacker can obtain such credentials. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog and no EPSS score is available, but the high CVSS indicates a significant risk when the conditions are met.

Generated by OpenCVE AI on April 4, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (version 6.7.26 or later) that patches the insecure object reference issue
  • Verify that the installed WCFM plugin version is within the safe range by checking the plugin settings or revision history
  • Restrict Vendor-level access to only trusted personnel and review user roles regularly
  • If an immediate update is not possible, consider disabling or monitoring the vulnerable AJAX endpoints until a patch is available
  • Maintain regular backups to allow recovery if content has been altered or deleted

Generated by OpenCVE AI on April 4, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers wcfm – Frontend Manager For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Wclovers
Wclovers wcfm – Frontend Manager For Woocommerce
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
Title WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wclovers Wcfm – Frontend Manager For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:54.728Z

Reserved: 2026-03-26T14:26:49.942Z

Link: CVE-2026-4896

cve-icon Vulnrichment

Updated: 2026-04-06T16:47:41.115Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T08:16:06.543

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-4896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:55Z

Weaknesses