WCFM – WooCommerce Frontend Manager < 6.7.25 – Authenticated (Shop Manager+) Arbitrary Options Update | CVE 2026-0845 | Plugin Vulnerabilities

Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

wc-frontend-manager

Fixed in 6.7.25

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4973cef3-dddf-4eb5-99f4-c23a0e162fd6

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Osvaldo Noe Gonzalez Del Rio (Os)

Verified

No

WPVDB ID

a697ae10-8159-490c-9f97-9aa183105b1d

Timeline

Publicly Published

2026-02-09 (about 3 months ago)

Added

2026-02-09 (about 3 months ago)

Last Updated

2026-02-09 (about 3 months ago)

Other

Published

Title

Published

2026-02-18

Title

Dealia – Request a quote < 1.0.8 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset

Published

2025-02-03

Title

Slide Banners <= 1.3 - Missing Authorization

Published

2025-12-10

Title

Searcher for Elementor <= 1.0.3 - Missing Authorization

Published

2025-03-13

Title

SoundRise Music < 1.7.1 - Authenticated (Subscriber+) Arbitrary Options Update

Published

2026-02-15

Title

Client Invoicing by Sprout Invoices < 20.8.9 - Missing Authorization