CVE-2026-2554
IDOR Vulnerability in WCFM Frontend Manager for WooCommerce
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wcfm | frontend_manager | to 6.7.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the WCFM β Frontend Manager for WooCommerce and the Bookings Subscription Listings Compatible plugin for WordPress in all versions up to and including 6.7.25. It is an Insecure Direct Object Reference (IDOR) issue occurring via the 'wcfm_delete_wcfm_customer' function due to missing validation on the 'customerid' parameter, which is controlled by the user.
This flaw allows authenticated attackers who have Vendor-level access or higher to delete arbitrary users, including those with Administrator privileges.
How can this vulnerability impact me? :
An attacker with Vendor-level access or above can exploit this vulnerability to delete any user account, including Administrator accounts.
This can lead to loss of critical user accounts, disruption of service, potential denial of access for legitimate users, and overall compromise of the system's integrity and availability.