Wcfm Frontend Manager For Woocommerce
Monthly
Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.
Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.