Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce
CVE-2026-10041
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-10041?
The WCFM β Frontend Manager for WooCommerce plugin for WordPress exposes a critical vulnerability that allows authenticated users with subscriber-level access and above to perform unauthorized actions. Due to insufficient validation on user-controlled keys, attackers can manipulate vendor product archives, change featured statuses, mark orders as completed, and delete inquiries belonging to other vendors. This vulnerability affects all versions up to and including 6.7.27, posing significant risks to site integrity and vendor confidentiality.
Affected Version(s)
WCFM β Frontend Manager for WooCommerce 0 <= 6.7.27