CVE-2024-8290

Name of the Vulnerable Software and Affected Versions: WCFM – Frontend Manager for WooCommerce versions up to, and including, 6.7.12

Description: The issue is related to Insecure Direct Object Reference, which affects the WCFM – Frontend Manager for WooCommerce along with the Bookings Subscription Listings Compatible plugin for WordPress. This is due to missing validation on the ID user-controlled key in the WCFM Customers Manage Controller::processing function. As a result, authenticated attackers with subscriber or customer-level access and above can change the email address of administrator user accounts, allowing them to reset the password and access the administrator account.

Recommendations: For versions up to, and including, 6.7.12, consider disabling the WCFM Customers Manage Controller::processing function until a patch is available to prevent exploitation. Restrict access to administrator accounts and monitor for any suspicious activity. Update to a version that includes the fix for this issue once it becomes available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.