CVE-2025-54004

LOW
2025-12-16 [email protected]
2.6
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
LOW 2.6

Tags

WordPress Woocommerce PHP Authentication Bypass

Description

Missing Authorization vulnerability in WC Lovers WCFM - Frontend Manager for WooCommerce wc-frontend-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM - Frontend Manager for WooCommerce: from n/a through <= 6.7.24.

Analysis

Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.

Technical Context

WCFM is a WordPress plugin that provides frontend management capabilities for WooCommerce store operators. The vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where access control decisions are not properly enforced at critical points in the application logic. The plugin appears to rely on role-based access control (RBAC) mechanisms to segregate functionality between user types (e.g., vendors, store managers, administrators), but these checks are implemented inconsistently. Authenticated users can exploit misconfigured security levels to access resources or information beyond their assigned privilege tier. The high attack complexity (AC:H) in the CVSS vector suggests the exploitation path is not straightforward and requires specific conditions or user interaction to succeed.

Affected Products

WCFM - Frontend Manager for WooCommerce plugin for WordPress versions 6.7.24 and earlier are affected. The plugin is distributed through the WordPress plugin repository and via direct licensing. Vulnerable versions lack proper authorization enforcement in access control logic affecting vendor and store manager functionality.

Remediation

Update WCFM - Frontend Manager for WooCommerce to a patched version above 6.7.24 immediately. Patch availability and the specific fixed version number should be confirmed via the official plugin update mechanism or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wc-frontend-manager/vulnerability/wordpress-wcfm-frontend-manager-for-woocommerce-plugin-6-7-21-broken-access-control-vulnerability. As an interim mitigation, restrict plugin access to trusted vendor and store manager accounts only, and audit user roles and capabilities in WooCommerce to ensure least-privilege assignments. Monitor access logs for suspicious activity by authenticated users accessing resources outside their assigned scope.

Priority Score

13
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +13
POC: 0

Share

CVE-2025-54004 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy