CVE-2026-2554

Name of the Vulnerable Software and Affected Versions WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions prior to 6.7.26

Description An Insecure Direct Object Reference (IDOR) exists due to missing validation on the customerid user-controlled key within the 'wcfm delete wcfm customer' function. This allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including Administrators. IDOR is a type of access control flaw that occurs when an application provides direct access to objects based on user-supplied input.

Recommendations Update the plugin to a version later than 6.7.25.