{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/wcfm--frontend-manager-for-woocommerce-along-with-bookings-subscription-listings-compatible-plugin--6.7.25/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-2554"}],"_cs_exploited":false,"_cs_products":["WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin \u003c= 6.7.25"],"_cs_severities":["high"],"_cs_tags":["idor","wordpress","woocommerce","account-deletion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Vendor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003ecustomerid\u003c/code\u003e parameter in the request, setting its value to the ID of the target user account they wish to delete.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter, the application directly uses the provided ID to locate the user account.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function proceeds to delete the user account identified by the attacker-supplied \u003ccode\u003ecustomerid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe targeted user account is successfully deleted from the WordPress instance.\u003c/li\u003e\n\u003cli\u003eIf the deleted user account was an administrator, the attacker can effectively take control of the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e with unusual \u003ccode\u003ecustomerid\u003c/code\u003e values, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function to prevent arbitrary user deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:17Z","date_published":"2026-05-02T14:16:17Z","id":"/briefs/2026-05-wordpress-wcfm-idor/","summary":"The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.","title":"WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — WCFM – Frontend Manager for WooCommerce Along With Bookings Subscription Listings Compatible Plugin \u003c= 6.7.25","version":"https://jsonfeed.org/version/1.1"}