WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Description
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers with subscriber-level access can change the email address of administrator accounts via IDOR in WCFM Frontend Manager, leading to account takeover.
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in the WCFM – Frontend Manager for WooCommerce plugin for WordPress, affecting all versions up to and including 6.7.12. The flaw resides in the WCFM_Customers_Manage_Controller::processing function, which fails to validate a user-controlled ID parameter. This allows authenticated users with at least subscriber/customer-level access to modify the email address of any user account, including administrators [1].
Exploitation
An attacker must have an authenticated WordPress account with subscriber-level privileges or higher. By sending a crafted request that manipulates the ID parameter to target an administrator user, the attacker can change the administrator's email address. No additional privileges or user interaction are required [1].
Impact
Successful exploitation enables the attacker to change the email address of an administrator account. Because WordPress uses email addresses for password reset, the attacker can then request a password reset link to be sent to a controlled email address, gaining full access to the administrator account and potentially the entire WordPress site [1].
Mitigation
The plugin developer has released version 6.7.13 which fixes the IDOR vulnerability. Users should update to version 6.7.13 or later immediately. The vulnerable versions are all releases up to and including 6.7.12 [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=6.7.12
- wclovers/WCFM – Frontend Manager for WooCommercev5Range: 0
Patches
1r3156433Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.12/controllers/customers/wcfm-controller-customers-manage.phpmitre
- plugins.trac.wordpress.org/changeset/3156433/wc-frontend-manager/trunk/controllers/customers/wcfm-controller-customers-manage.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/79172fe3-c0cf-48c4-8bc5-862c628c1a09mitre
News mentions
0No linked articles in our index yet.