WCFM Frontend Manager for WooCommerce Insecure Direct Object Reference Vulnerability Allowing Arbitrary User Deletion

Vulnerability

Patched

A vulnerability exists in the WCFM – Frontend Manager for WooCommerce plugin, specifically in versions through 6.7.25, including the Bookings Subscription Listings Compatible plugin. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete any user, including Administrators. This vulnerability arises from a lack of proper validation on the 'customerid' key, which is controlled by the user.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of users, including those with Administrator privileges.

Remediation

Users are advised to update the WCFM Frontend Manager for WooCommerce plugin to version 6.7.26 or later.

Added: May 2, 2026, 2:23 PM

Updated: May 2, 2026, 2:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.1

remediation

7.7

relevance

7.2

WCFM Frontend Manager for WooCommerce Insecure Direct Object Reference Vulnerability Allowing Arbitrary User Deletion

Vulnerability

Impact

Remediation

Affected Products

WCFM – Frontend Manager

CVSS Scores

References

Vulnerability Rating