WCFM WooCommerce Frontend Manager Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object References (IDOR) has been identified in the WCFM - Frontend Manager for WooCommerce plugin, specifically in versions through 6.7.25. This vulnerability arises from missing validation on user-supplied object IDs in several AJAX actions, including 'wcfm_modify_order_status', 'delete_wcfm_article', 'delete_wcfm_product', and the article management controller. As a result, authenticated attackers with Vendor-level access or higher can manipulate the status of any order or delete and modify any post, product, or page, regardless of ownership.

Impact

Exploitation of this vulnerability allows for arbitrary manipulation of posts, products, and pages, as well as unauthorized changes to order statuses.

Reproduction

To reproduce this vulnerability, an authenticated user with Vendor-level access or higher can send AJAX requests to the WordPress site. The requests must include the 'wcfm_modify_order_status', 'delete_wcfm_article', or 'delete_wcfm_product' actions. The absence of proper validation on the object IDs provided by the user allows for the manipulation of orders and content ownership.

Remediation

Users are advised to update the WCFM - Frontend Manager for WooCommerce plugin to version 6.7.26 or a newer patched version.