CVE-2026-10041 MEDIUM

CVE-2026-10041: WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers

Vendor Wclovers
Product WCFM – Frontend Manager for WooCommerce
Weakness CWE-639 · IDOR
Published July 11, 2026
Last update July 13, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.

Explanation of Vulnerability in Simple Terms

02Summary

WCFM – Frontend Manager for WooCommerce versions up to 6.7.27 contain an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter information through the plugin's interface. The vulnerability requires an active user account but no additional user interaction. Update to a version newer than 6.7.27.

What an attacker can do

03Attacker Capabilities

Modify data or settings in WooCommerce through the WCFM interface without proper authorization checks.

Potential impact on your site

04Site Impact

Unauthorized changes to WooCommerce data, product listings, or vendor information by low-privilege users.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., customer or vendor account).

Key dates

06Disclosure timeline

July 11, 2026 CVE published
July 13, 2026 Record updated

Related vulnerabilities

08Related CVE