CVE-2026-2554:
CVE-2026-2554 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the WCFM – Frontend Manager for WooCommerce plugin for WordPress (versions up to and including 6.7.25) that allows authenticated attackers with Vendor-level access or above to delete arbitrary users, including Administrators.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:NONE
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-2554 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the WCFM – Frontend Manager for WooCommerce plugin for WordPress (versions up to and including 6.7.25) that allows authenticated attackers with Vendor-level access or above to delete arbitrary users, including Administrators.
Overview
CVE-2026-2554 affects the WCFM – Frontend Manager for WooCommerce plugin for WordPress in all releases up to and including version 6.7.25. The flaw is rooted in missing object-level authorization within the `wcfm_delete_wcfm_customer` functionality, where the `customerid` parameter is accepted directly from user input without validation. An attacker authenticated at the Vendor role or above can supply an arbitrary user ID to this parameter and trigger deletion of any WordPress user account on the affected installation, up to and including site Administrators. This constitutes a classic Insecure Direct Object Reference (IDOR) issue, classified as CWE-639. Exploitation is network-accessible, requires low privileges, and involves no user interaction, making it a realistic threat in multi-vendor WooCommerce environments.
Remediation
- Site owners and administrators running the WCFM – Frontend Manager for WooCommerce plugin should immediately update to version 6.7.26 or later, as the vulnerability was addressed in changeset 3483695. Until patching is possible, consider restricting Vendor-level user registrations or temporarily disabling the plugin. Administrators should also audit existing user accounts to confirm no unauthorized deletions have occurred. Applying a Web Application Firewall (WAF) rule to block unauthorized manipulation of the `customerid` parameter can serve as a temporary mitigation measure.
References
- 1. Wordfence Threat Intelligence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve
- 2. WordPress Plugin Trac – Vulnerable code in class-wcfm-customer.php: https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386
- 3. WordPress Plugin Trac – Patch Changeset 3483695: https://plugins.trac.wordpress.org/changeset/3483695/
- 4. NVD Entry for CVE-2026-2554: https://nvd.nist.gov/vuln/detail/CVE-2026-2554
- 5. CWE-639 – Authorization Bypass Through User-Controlled Key: https://cwe.mitre.org/data/definitions/639.html
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
