CVE-2026-3477

Name of the Vulnerable Software and Affected Versions PZ Frontend Manager plugin for WordPress versions up to and including 1.0.6

Description The PZ Frontend Manager plugin for WordPress is susceptible to a missing authorization issue. The pzfm user request action callback() function, accessible through the wp ajax pzfm user request action AJAX endpoint, does not perform adequate capability checks or nonce verification. This function manages user activation, deactivation, and deletion. Specifically, when the dataType parameter is set to 'delete', the function calls wp delete user() on provided user IDs without verifying sufficient permissions. This allows authenticated attackers with Subscriber-level access or higher to delete arbitrary WordPress users, including administrators, by sending a crafted request to the ''wp ajax pzfm user request action'' endpoint.

Recommendations For versions up to and including 1.0.6, update to a newer version that addresses this authorization issue.