WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.17 – Missing Authorization to Unauthenticated Plugin Settings Modification | CVE 2025-3780 | Plugin Vulnerabilities

Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys

Affects Plugins

wc-frontend-manager

Fixed in 6.7.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brian Sans-Souci (liardom)

Verified

No

WPVDB ID

0302e0cd-33de-4fa4-8838-81729c3e51ca

Timeline

Publicly Published

2025-07-08 (about 10 months ago)

Added

2025-07-08 (about 10 months ago)

Last Updated

2025-07-08 (about 10 months ago)

Other

Published

Title

Published

2023-06-15

Title

MasterStudy LMS < 3.0.9 - Subscriber+ Course Category Creation

Published

2025-12-31

Title

Accordion Slider Gallery <= 2.7 - Missing Authorization

Published

2026-01-25

Title

Share This Image < 2.10 - Missing Authorization

Published

2025-09-11

Title

Rank Math SEO < 1.0.253 - Missing Authorization

Published

2023-12-27

Title

Piotnet Forms < 1.0.30 - Missing Authorization via multiple AJAX actions