We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WCFM – Frontend Manager for WooCommerce and Bookings Subscription Listings Compatible Plugin Vulnerability (CVE-2026-4896)

Nick Paliughi
On this page

Security Alert Summary

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress contains an insecure direct object reference (IDOR) vulnerability that allows authenticated users with Vendor-level access and above to act on object IDs they do not own. Attacker-supplied object IDs are not properly validated, permitting modification of order status and deletion or modification of posts, products, and pages regardless of ownership.

CVE Details

  • CVE ID: CVE-2026-4896
  • Affected plugin or component: WCFM – Frontend Manager for WooCommerce and Bookings Subscription Listings Compatible plugin for WordPress
  • Affected versions: All versions up to, and including, 6.7.25
  • Published: April 4, 2026 at 8:16:06 AM UTC
  • Last modified: April 4, 2026 at 8:16:06 AM UTC
  • CVSS v3.1: Base Score 8.1; Severity HIGH; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
  • Authentication / privileges / user interaction: Authentication required (attacker must have Vendor-level access or higher). Privileges required: Low (per CVSS). User interaction: None.
  • Primary impact: Confidentiality: None; Integrity: High; Availability: High
  • Weakness (CWE): CWE-639 (Authorization Bypass Through User-Controlled Key)

Technical Details

The vulnerability is an insecure direct object reference caused by missing validation of user-supplied object IDs. Multiple AJAX actions and controllers do not verify whether the authenticated user is authorized to act on the provided object identifier. The report names specific AJAX actions and controllers, including wcfm_modify_order_status, delete_wcfm_article, delete_wcfm_product, and the article management controller. Because the code accepts object IDs from the requester without validating ownership or access rights, an authenticated user with Vendor-level privileges or higher can change the status of arbitrary orders and delete or modify arbitrary posts, products, or pages regardless of ownership.

The impact is limited to integrity and availability effects described in the CVSS data: attackers can alter order data (for example, changing order status) and remove or modify content or products, which can disrupt storefront operations or content availability. The issue exists due to insufficient authorization checks on object identifiers supplied by users.

How This Could Impact Your Website

Consider a typical WooCommerce site with several user roles: the site owner, internal staff (store managers, editors), and external contributors or contractors. A vendor-level user or compromised vendor account could:

  • Change order statuses for orders they do not own, leading to incorrect shipping, fulfillment, or refund workflows;
  • Delete or modify product listings or pages, causing loss of product availability, broken purchase flows, or misleading content for customers;
  • Create disruption to storefront operations and require restoration from backups if content or product data is removed.

The vulnerability does not indicate direct disclosure of confidential data in the CVE details, but tampered orders or content can still harm business operations and customer trust. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially vendor-level and contributor accounts.
  • Enforce strong passwords and enable two-factor authentication for editors, administrators, and other privileged users.
  • Remove unused or unmaintained plugins and themes from your site.
  • Monitor site and order activity logs for unusual behavior, including unexpected order status changes or content deletions.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem Plugin Vulnerability (CVE-2026-2924)
Next Post
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Vulnerability (CVE-2025-15064)