Overview
A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been disclosed in the WCFM – Frontend Manager for WooCommerce plugin for WordPress. Tracked as CVE-2026-4896, the flaw carries a CVSS base score of 8.1 and affects all plugin versions up to and including 6.7.25.
Successful exploitation allows an authenticated attacker—regardless of their own privilege level—to modify, delete, or otherwise manipulate orders and articles belonging to other users by invoking unprotected AJAX actions directly.
Technical Details
The vulnerability stems from missing authorization checks on multiple AJAX action handlers within the plugin. The affected endpoints include (but may not be limited to):
wcfm_modify_order_status— allows status changes on arbitrary ordersdelete_wcfm_article— allows deletion of articles owned by other users
Because these handlers perform no ownership verification before acting on the supplied object identifiers, any authenticated user can craft a request with a target user's order ID or article ID and perform privileged operations against it. This is a classic IDOR pattern where the application trusts user-supplied identifiers without confirming the requester is authorized to act on the referenced resource.
Impact
| Attribute | Value |
|---|---|
| CVSS Score | 8.1 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated) |
| User Interaction | None |
An attacker with a standard WordPress account on an affected store could:
- Modify order statuses — e.g., mark orders as fulfilled to obtain goods without payment
- Delete vendor articles — disrupt competitor or co-vendor listings on a multi-vendor WooCommerce store
- Enumerate order data — leverage predictable object IDs to access other customers' order records
Multi-vendor WooCommerce setups managed via WCFM are particularly at risk, as multiple vendors share the same storefront environment and competing merchants could abuse this flaw against one another.
Affected Versions
- WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible: all versions ≤ 6.7.25
Remediation
Site administrators and store owners should:
- Update the WCFM plugin immediately to the latest version beyond 6.7.25 once a patched release is available.
- Monitor plugin changelogs on WordPress.org for a security patch notice.
- Review AJAX endpoint authorization using a WAF or security plugin (e.g., Wordfence, Solid Security) to log anomalous AJAX requests from low-privilege accounts.
- Restrict vendor roles to the minimum required capabilities while awaiting a patch.
Until a fix is confirmed, consider temporarily disabling the affected AJAX actions via a custom functions.php hook if the feature is not business-critical.