CVE-2026-10041 in WCFM Plugininfo

Summary

by MITRE • 07/11/2026

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability identified in the WCFM – Frontend Manager for WooCommerce plugin represents a critical Insecure Direct Object Reference flaw that compromises the integrity of multi-vendor e-commerce platforms operating on WordPress. This security weakness affects all versions through 6.7.27 and stems from insufficient input validation within the wcfm_product_archive functionality, creating a pathway for authenticated attackers to manipulate objects they should not have direct access to. The vulnerability specifically targets the plugin's handling of user-controlled keys that determine which vendor data is being accessed or modified, effectively allowing unauthorized operations on foreign vendor resources without proper authorization checks.

The technical implementation of this flaw occurs within the plugin's backend processing where the wcfm_product_archive parameter fails to validate whether the requesting user has legitimate access rights to modify or archive products, orders, or other vendor-specific data. This missing validation creates a scenario where an attacker with subscriber-level privileges can manipulate the system by crafting requests that target specific vendor identifiers, thereby bypassing normal access controls that should restrict users to their own vendor data only. The vulnerability operates at the application logic level and is classified under CWE-284 as an improper access control mechanism that allows unauthorized access to resources.

The operational impact of this vulnerability extends beyond simple data manipulation to encompass significant business and security implications for affected e-commerce platforms. Attackers can archive arbitrary vendors' products, effectively removing them from public visibility and potentially causing revenue loss or disruption to vendor operations. The ability to toggle featured status on listings allows malicious actors to manipulate product visibility and ranking within the marketplace, while marking orders as completed enables unauthorized fulfillment of purchases that may not have been legitimately placed. Furthermore, the capability to permanently delete enquiries and bulk messages creates a data destruction vector that can disrupt communication channels between vendors and customers, potentially leading to service degradation or loss of important business information.

Organizations utilizing this plugin must implement immediate mitigations to address the identified vulnerability, including applying the latest available patch from the plugin vendor or implementing custom access controls within their WordPress environment. The remediation strategy should focus on strengthening input validation mechanisms and ensuring proper authorization checks are enforced for all user-controlled parameters that reference object identifiers. Security teams should also consider implementing network-level controls such as web application firewalls to monitor and block suspicious requests targeting the vulnerable wcfm_product_archive functionality. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify similar access control weaknesses, with adherence to security frameworks like NIST SP 800-53 and ISO/IEC 27001 standards to maintain comprehensive protection against such vulnerabilities.

The exploitation of this vulnerability aligns with ATT&CK technique T1068 which involves the use of legitimate credentials to gain access to resources, and T1485 related to data destruction through unauthorized modification of system data. This presents a significant risk to business continuity and customer trust, as malicious actors can systematically undermine vendor operations while remaining undetected within normal user activity patterns. The vulnerability demonstrates the critical importance of proper access control implementation in multi-tenant systems where different users or entities need to be restricted from accessing each other's resources without explicit authorization.

Responsible

Wordfence

Reservation

05/28/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!