WCFM – Frontend Manager
Moderate fix1 remedy
cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 6.7.24
WCFM WooCommerce Frontend Manager Privilege Escalation Vulnerability
Vulnerability
Patched
A vulnerability in the WCFM - Frontend Manager for WooCommerce plugin, specifically in versions through 6.7.24, allows authenticated users with Shop Manager-level access or higher to bypass capability checks and modify arbitrary data. This unauthorized data manipulation can lead to privilege escalation by enabling attackers to change user roles to administrator and activate user registration, thereby gaining administrative access on the affected WordPress site.
Impact
Exploitation of this vulnerability could result in unauthorized users gaining administrative privileges on the WordPress site.
Reproduction
To reproduce this vulnerability, an authenticated user with Shop Manager access or higher can send a request to the 'WCFM_Settings_Controller::processing' function without the necessary capability checks. This can be done by including the 'wcfm_settings_form' data in the request, which can be parsed and processed by the vulnerable function. Once the request is processed, the user can update various options on the site, including changing the default role for new users to administrator.
Remediation
Users are advised to update the WCFM - Frontend Manager for WooCommerce plugin to version 6.7.25 or later.
Added: Feb 10, 2026, 1:43 AM
Updated: Feb 10, 2026, 1:43 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
5.0exploitability
6.0remediation
7.7relevance
2.7threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.