Platform
wordpress
Component
wc-frontend-manager
Fixed in
6.7.26
CVE-2026-4896 represents an Insecure Direct Object Reference vulnerability affecting the WCFM – Frontend Manager for WooCommerce plugin for WordPress. An authenticated attacker, possessing Vendor-level access or higher, can exploit this flaw to modify order statuses, delete or modify posts, products, and pages, irrespective of ownership. This vulnerability impacts versions of WCFM up to and including 6.7.25. A patch is available in version 6.7.26.
CVE-2026-4896 affects the WCFM – Frontend Manager for WooCommerce plugin and the Bookings Subscription Listings Compatible plugin for WordPress. This vulnerability is an Insecure Direct Object Reference (IDOR). Authenticated attackers, with Vendor-level access, can potentially manipulate or delete sensitive data, such as orders, articles, and products, without proper authorization. The vulnerability lies in the lack of proper validation of user-supplied object IDs in several AJAX actions, including wcfmmodifyorderstatus, deletewcfmarticle, deletewcfm_product, and the article management controller. This allows an attacker, once authenticated as a vendor, to access and modify resources they are not authorized to, compromising the integrity and confidentiality of the WooCommerce store’s data.
An attacker with Vendor-level access on a WordPress site using WCFM can exploit this vulnerability. The attacker could, for example, modify the status of an order they don’t own, delete articles or products they didn’t create, or even access sensitive information through the article management controller. Exploitation requires authentication but does not require administrator privileges. The simplicity of exploitation, combined with the popularity of the WCFM plugin, makes this vulnerability a significant risk to WooCommerce sites.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the WCFM – Frontend Manager for WooCommerce plugin to version 6.7.26 or higher. This update includes the necessary fixes to properly validate user-supplied object IDs, mitigating the risk of exploitation. WordPress site administrators using WCFM are strongly advised to update the plugin as soon as possible to protect their WooCommerce stores from potential attacks. Additionally, review user permissions and ensure that 'Vendor' roles have limited access to functions that can be exploited. Monitoring server logs for suspicious activity can also help detect and respond to potential exploitation attempts.
Update to version 6.7.26, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
IDOR stands for Insecure Direct Object Reference. It occurs when an application uses a user-supplied identifier directly to access an internal object without verifying whether the user is authorized to access that object.
In the context of WCFM, 'Vendor' refers to a specific user role that allows managing products and orders within a WooCommerce store.
If you can't update immediately, consider restricting access to the vulnerable AJAX functions through firewall rules or by implementing additional access controls.
While there are no specific tools for this vulnerability, you can use web security scanners that look for IDOR patterns or perform manual security testing.
Keep WordPress, plugins, and themes updated, use strong passwords, implement a web application firewall, and perform regular backups of your site.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.