Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
A:L added over the official scoring because permanent deletion of enquiries and bulk messages constitutes limited availability impact beyond the integrity dimension; all other metrics match the provided vector.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WCFM - Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.
AnalysisAI
Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account at subscriber level or above - the minimum role assignable to a registered user on most WordPress sites. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base score of 4.3 (Medium) reflects AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - network-accessible, low complexity, low-privilege authenticated, with only limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WooCommerce marketplace running the vulnerable WCFM plugin, then issues crafted AJAX POST requests to wp-admin/admin-ajax.php supplying competitor vendors' product IDs in the wcfm_product_archive action parameter - actions the server processes without ownership validation. By iterating over enumerable product or order IDs, the attacker archives a rival vendor's entire product catalog, marks their pending orders as fulfilled, and permanently deletes inbound customer enquiries, causing direct revenue and reputational harm. … |
| Remediation | A fix was committed to the WordPress plugin repository per the SVN changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3588570%40wc-frontend-manager&new=3588570%40wc-frontend-manager; however, the specific patched release version number is not explicitly stated in the available data - the upstream fix is confirmed by commit but has not been independently verified as a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43162
GHSA-mpgm-9gr3-fhr6