WordPress Plugin Vulnerabilities

WCFM - WooCommerce Frontend Manager < 6.7.26 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation

Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.

Affects Plugins

Plugin icon
wc-frontend-manager
Fixed in 6.7.26

References

CVE
CVE-2026-4896
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Osvaldo Noe Gonzalez Del Rio (Os)
Verified
No
WPVDB ID
8f267102-853f-4927-9a9b-3ea81bd43b5c

Timeline

Publicly Published
2026-04-03 (about 1 month ago)
Added
2026-04-03 (about 1 month ago)
Last Updated
2026-04-04 (about 1 month ago)

Other

Published
Title
Published
2025-04-30
Title
WordPress Simple PayPal Shopping Cart < 5.1.4 - Insecure Direct Object Reference via 'quantity'
Published
2026-01-02
Title
Justicia <= 1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-09-18
Title
Service Finder Bookings <= 6.0 - Unauthenticated Privilege Escalation via claim_business
Published
2026-04-07
Title
Blog2Social: Social Media Auto Post & Scheduler < 8.8.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter
Published
2026-01-29
Title
Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference