CVE-2026-2554 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: May 2, 2026
WCFM Frontend Manager for WooCommerce - Insecure Direct Object Reference
Published: May 2, 2026Updated: May 2, 2026Remote Exploitable
Overview
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress <= 6.7.25 contains an insecure direct object reference caused by missing validation on 'customerid' in 'wcfm_delete_wcfm_customer', letting authenticated attackers with Vendor-level access delete arbitrary users including Administrators, exploit requires Vendor-level or higher privileges.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated attackers with Vendor-level access can delete arbitrary users including Administrators, leading to privilege abuse and potential denial of service.
Mitigation
Update to the latest version beyond 6.7.25.
References
Related Resources
Details
- CVE ID
- CVE-2026-2554
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H