CVE-2025-3780 MEDIUM

CVE-2025-3780: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification

Vendor Wclovers
Product WCFM – Frontend Manager for WooCommerce
Weakness CWE-862 · Missing authorization
Published July 8, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys

Explanation of Vulnerability in Simple Terms

02Summary

WCFM – Frontend Manager for WooCommerce versions up to 6.7.16 lack proper authorization checks, allowing unauthenticated attackers to read and modify sensitive data. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update to a version newer than 6.7.16 immediately.

What an attacker can do

03Attacker Capabilities

Read and modify sensitive site data without logging in.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter WooCommerce data, including orders, products, and customer information.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 8, 2025 CVE published
April 8, 2026 Record updated