CVE-2026-4896: WCFM Insecure Object Reference (HIGH)
Platform
wordpress
Component
wc-frontend-manager
Fixed in
6.7.26
CVE-2026-4896 represents an Insecure Direct Object Reference vulnerability affecting the WCFM – Frontend Manager for WooCommerce plugin for WordPress. An authenticated attacker, possessing Vendor-level access or higher, can exploit this flaw to modify order statuses, delete or modify posts, products, and pages, irrespective of ownership. This vulnerability impacts versions of WCFM up to and including 6.7.25. A patch is available in version 6.7.26.
How to fix
Update to version 6.7.26, or a newer patched version
Frequently asked questions
What is CVE-2026-4896?
CVE-2026-4896 is an Insecure Direct Object Reference vulnerability in the WCFM – Frontend Manager for WooCommerce plugin for WordPress. It allows authenticated users with Vendor access to manipulate orders and content they shouldn't be able to.
Am I affected by CVE-2026-4896?
You are potentially affected if you are using WCFM – Frontend Manager for WooCommerce version 6.7.25 or earlier. Verify your plugin version and update immediately if vulnerable.
How do I fix CVE-2026-4896?
Update WCFM – Frontend Manager for WooCommerce to version 6.7.26 or later to resolve this vulnerability. Ensure all plugins and WordPress core are also up to date.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free