CVE-2026-4896 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 4, 2026
WCFM Frontend Manager for WooCommerce - Broken Access Control
Published: April 4, 2026Updated: April 4, 2026Remote Exploitable
Overview
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress <= 6.7.25 contains an insecure direct object reference caused by missing validation on user-supplied object IDs in multiple AJAX actions, letting authenticated attackers with Vendor-level access modify or delete orders, posts, products, or pages regardless of ownership.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated attackers with Vendor-level access can modify or delete any order, post, product, or page, leading to data tampering and loss of integrity.
Mitigation
Update to the latest version beyond 6.7.25.
References
- https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644
- https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve
Related Resources
Details
- CVE ID
- CVE-2026-4896
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H