Skip to content
CVSS 8.1 · HIGH

CVE-2026-2554

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

View on NVD

Analysis

The WCFM Frontend Manager for WooCommerce plugin for WordPress contains an IDOR vulnerability allowing authenticated attackers with Vendor-level access to delete arbitrary users, including Administrators. Sites running multi-vendor marketplaces should update beyond version 6.7.25 to prevent unauthorized account deletions.

Severity

Score: 8.1(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: NONE
I: HIGH
A: HIGH
Weakness (CWE): CWE-639

EPSS

Probability of exploitation (next 30 days): 0.0003 (0.0%)
Percentile: 10.0%
EPSS: 2026-05-06

Technical description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

Published: 5/2/2026, 2:16:17 PM
Last modified: 5/5/2026, 7:15:06 PM

References

HomeEventsBlogResourcesTeam