Unauthorized Data Modification in WCFM – Frontend Manager and WooCommerce Plugin by WordPress
CVE-2025-3780

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Wcfm – Frontend Manager For WooCommerce Along With Bookings Subscription Listings Compatible
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-3780?

The WCFM – Frontend Manager for WooCommerce, alongside the Bookings Subscription Listings Compatible plugin, is susceptible to unauthorized data manipulation due to a lack of capability checks in the wcfm_redirect_to_setup function. This vulnerability affects all versions up to 6.7.16, allowing unauthenticated attackers to potentially access and alter critical plugin settings, such as payment information and API keys, thereby posing significant security risks.

Affected Version(s)

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible * <= 6.7.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wc-frontend-ma...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025