CVE-2026-3477
Missing Authorization in PZ Frontend Manager Allows User Deletion
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plugin_developer | pz_frontend_manager | to 1.0.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The PZ Frontend Manager plugin for WordPress has a vulnerability called Missing Authorization in all versions up to 1.0.6. Specifically, the function pzfm_user_request_action_callback(), which handles user activation, deactivation, and deletion, does not perform necessary permission checks or nonce verification. This means that authenticated users with Subscriber-level access or higher can send specially crafted AJAX requests to delete arbitrary WordPress users, including administrators, without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows attackers with minimal access (Subscriber-level) to delete any WordPress user, including administrators. This can lead to unauthorized removal of critical user accounts, potentially causing loss of administrative control over the website, disruption of services, and increased risk of further exploitation or site compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the wp_ajax_pzfm_user_request_action endpoint that attempt to delete users. Specifically, look for requests where the 'dataType' parameter is set to 'delete' and user IDs are provided.
You can use network monitoring tools or web server logs to identify suspicious POST requests to the AJAX endpoint related to the PZ Frontend Manager plugin.
Example command to search web server logs for suspicious requests (assuming Apache logs):
- grep 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'action=pzfm_user_request_action' | grep 'dataType=delete'
Additionally, you can use curl or similar tools to test if the endpoint is vulnerable by sending a crafted AJAX request with 'dataType=delete' and user IDs, but this should only be done in a controlled environment.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the PZ Frontend Manager plugin until a patch is available.
Restrict access to the AJAX endpoint by limiting permissions or using a web application firewall (WAF) to block unauthorized requests to wp_ajax_pzfm_user_request_action.
Ensure that only trusted users have access to accounts with Subscriber-level permissions or higher, as the vulnerability can be exploited by authenticated users.
Monitor user accounts for unexpected deletions and restore any deleted users from backups if necessary.