CVE-2026-0845

Name of the Vulnerable Software and Affected Versions WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions up to and including 6.7.24

Description The software contains a flaw that allows unauthorized modification of data, potentially leading to privilege escalation. A missing capability check within the WCFM Settings Controller::processing() function permits authenticated attackers with Shop Manager-level access or higher to modify arbitrary options on a WordPress site. This can be exploited to elevate user privileges, such as changing the default registration role to administrator and enabling user registration for malicious purposes, ultimately granting attackers administrative access.

Recommendations Update to a version later than 6.7.24.