What the vulnerability does
01Description
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.
Explanation of Vulnerability in Simple Terms
02Summary
WCFM – Frontend Manager for WooCommerce versions up to 6.7.27 contain an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter information through the plugin's interface. The vulnerability requires an active user account but no additional user interaction. Update to a version newer than 6.7.27.
What an attacker can do
03Attacker Capabilities
Modify data or settings in WooCommerce through the WCFM interface without proper authorization checks.
Potential impact on your site
04Site Impact
Unauthorized changes to WooCommerce data, product listings, or vendor information by low-privilege users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site (e.g., customer or vendor account).
Key dates
06Disclosure timeline
July 11, 2026
CVE published
July 13, 2026
Record updated