Skip to main content

WCFM Frontend Manager EUVDEUVD-2026-43162

| CVE-2026-10041 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-11 Wordfence GHSA-mpgm-9gr3-fhr6
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

A:L added over the official scoring because permanent deletion of enquiries and bulk messages constitutes limited availability impact beyond the integrity dimension; all other metrics match the provided vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 07:09 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 4.3

DescriptionCVE.org

The WCFM - Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.

AnalysisAI

Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise subscriber-level WordPress account
Delivery
POST crafted AJAX request to wp-admin/admin-ajax.php
Exploit
Supply arbitrary vendor product, order, or enquiry ID in user-controlled key
Execution
Bypass missing ownership validation in WCFM AJAX handler
Impact
Archive, modify, or permanently delete target vendor content

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at subscriber level or above - the minimum role assignable to a registered user on most WordPress sites. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 4.3 (Medium) reflects AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - network-accessible, low complexity, low-privilege authenticated, with only limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WooCommerce marketplace running the vulnerable WCFM plugin, then issues crafted AJAX POST requests to wp-admin/admin-ajax.php supplying competitor vendors' product IDs in the wcfm_product_archive action parameter - actions the server processes without ownership validation. By iterating over enumerable product or order IDs, the attacker archives a rival vendor's entire product catalog, marks their pending orders as fulfilled, and permanently deletes inbound customer enquiries, causing direct revenue and reputational harm. …
Remediation A fix was committed to the WordPress plugin repository per the SVN changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3588570%40wc-frontend-manager&new=3588570%40wc-frontend-manager; however, the specific patched release version number is not explicitly stated in the available data - the upstream fix is confirmed by commit but has not been independently verified as a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy