{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4896", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-26T14:26:49.942Z", "datePublished": "2026-04-04T07:42:00.432Z", "dateUpdated": "2026-04-08T17:33:54.728Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:54.728Z"}, "affected": [{"vendor": "wclovers", "product": "WCFM \u2013 Frontend Manager for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7.25", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership."}], "title": "WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-01-10T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-13T21:38:45.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T19:36:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T16:46:50.763567Z", "id": "CVE-2026-4896", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:47:45.630Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4896", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T16:46:50.763567Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T16:47:41.115Z"}}], "cna": {"title": "WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "wclovers", "product": "WCFM \u2013 Frontend Manager for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.7.25"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-10T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-13T21:38:45.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T19:36:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271"}], "descriptions": [{"lang": "en", "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T07:42:00.432Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4896", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:47:45.630Z", "dateReserved": "2026-03-26T14:26:49.942Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T07:42:00.432Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership."}], "id": "CVE-2026-4896", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T08:16:06.543", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.7.25]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WCFM \u2013 Frontend Manager for WooCommerce", "source": "cna", "vendor": "wclovers"}, "product": "wcfm_\u2013_frontend_manager_for_woocommerce", "vendor": "wclovers"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T11:21:47.430689+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update (version 6.7.26 or later) that patches the insecure object reference issue", "Verify that the installed WCFM plugin version is within the safe range by checking the plugin settings or revision history", "Restrict Vendor-level access to only trusted personnel and review user roles regularly", "If an immediate update is not possible, consider disabling or monitoring the vulnerable AJAX endpoints until a patch is available", "Maintain regular backups to allow recovery if content has been altered or deleted"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of orders, posts, and products"}, "threat_synthesis": {"affected_systems": "The affected vendor is wclovers and the product is the WooCommerce Frontend Manager (WCFM). All released versions up to and including 6.7.25 are vulnerable, with the issue present in the core plugin as well as in the integrated Bookings Subscription Listings plugin.", "description_and_impact": "The vulnerability in the WooCommerce Frontend Manager allows authenticated users who possess Vendor-level or higher access privileges to perform arbitrary modifications on orders, posts, pages, and products through several AJAX actions, including wcfm_modify_order_status, delete_wcfm_article, delete_wcfm_product, and the article management controller. This weakness is a classic example of insecure direct object reference (CWE-639) where user-supplied identifiers are not properly validated, enabling the attacker to change data that they do not own. Consequences include tampering with order status, deleting or altering content, and potentially compromising business transactions and data integrity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.1, marking it as high severity. Exploitation requires authenticated access at the Vendor level or higher, which is typically granted to trusted users such as store managers. Given the simplicity of the AJAX interactions, successful exploitation is likely if an attacker can obtain such credentials. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog and no EPSS score is available, but the high CVSS indicates a significant risk when the conditions are met."}}}}, "created": "2026-04-06T20:27:36.523566+00:00", "updated": "2026-04-06T22:20:55.668583+00:00", "vendors": ["wclovers", "wclovers$PRODUCT$wcfm_\u2013_frontend_manager_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}