Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce
CVE-2026-10041

4.3MEDIUM

What is CVE-2026-10041?

The WCFM – Frontend Manager for WooCommerce plugin for WordPress exposes a critical vulnerability that allows authenticated users with subscriber-level access and above to perform unauthorized actions. Due to insufficient validation on user-controlled keys, attackers can manipulate vendor product archives, change featured statuses, mark orders as completed, and delete inquiries belonging to other vendors. This vulnerability affects all versions up to and including 6.7.27, posing significant risks to site integrity and vendor confidentiality.

Affected Version(s)

WCFM – Frontend Manager for WooCommerce 0 <= 6.7.27

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

mrholmes
papadope
.