Unauthorized Configuration Modification in WCFM – Frontend Manager for WooCommerce
CVE-2026-0845

7.2HIGH

Key Information:

Vendor

WordPress
Status
Wcfm – Frontend Manager For WooCommerce Along With Bookings Subscription Listings Compatible
Vendor
CVE Published:
9 February 2026

What is CVE-2026-0845?

The WCFM – Frontend Manager for WooCommerce, along with the Bookings Subscription Listings Compatible plugin for WordPress, is vulnerable to unauthorized data modifications due to a crucial missing capability check in the 'WCFM_Settings_Controller::processing' function. This affects all versions up to and including 6.7.24. Authenticated attackers with Shop Manager-level access and above can exploit this vulnerability to alter arbitrary options on the WordPress site. Such manipulation could allow attackers to change the default role assigned during user registration to 'administrator', thereby facilitating unauthorized access through newly registered accounts with elevated privileges.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible * <= 6.7.24

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wc-frontend-ma...
https://plugins.trac.wordpress.org/browser/wc-frontend-ma...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio
JSON
.