Account-Deletion — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/account-deletion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 14:16:17 +0000WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletionhttps://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/Sat, 02 May 2026 14:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the customerid parameter within the wcfm_delete_wcfm_customer function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.

Attack Chain

  1. An attacker authenticates to the WordPress site with Vendor-level access or higher.
  2. The attacker crafts a malicious HTTP request targeting the wcfm_delete_wcfm_customer function.
  3. The attacker includes the customerid parameter in the request, setting its value to the ID of the target user account they wish to delete.
  4. Due to the missing validation on the customerid parameter, the application directly uses the provided ID to locate the user account.
  5. The wcfm_delete_wcfm_customer function proceeds to delete the user account identified by the attacker-supplied customerid.
  6. The targeted user account is successfully deleted from the WordPress instance.
  7. If the deleted user account was an administrator, the attacker can effectively take control of the website.

Impact

Successful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.

Recommendation

  • Apply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.
  • Monitor web server logs for suspicious requests to wcfm_delete_wcfm_customer with unusual customerid values, using the Sigma rule provided below.
  • Implement input validation on the customerid parameter within the wcfm_delete_wcfm_customer function to prevent arbitrary user deletion.
]]>highadvisoryidorwordpresswoocommerceaccount-deletion