CVE-2026-4896

Name of the Vulnerable Software and Affected Versions WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions up to and including 6.7.25

Description The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is susceptible to Insecure Direct Object Reference in multiple AJAX actions, including wcfm modify order status, delete wcfm article, and delete wcfm product, as well as the article management controller. This is due to a lack of validation on user-supplied object IDs. Authenticated attackers with Vendor-level access or higher can modify the status of any order and delete or modify any post, product, or page, regardless of ownership.

Recommendations Update WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress to a version later than 6.7.25.