WCFM patches vendor IDOR enabling cross-store order tampering

TL;DR — A broken object-ownership check in WCFM’s AJAX handlers lets Vendor-level accounts tamper with other vendors’ orders and content, breaking multi-vendor isolation in WooCommerce marketplaces.

What happened

WCFM – Frontend Manager for WooCommerce is a WordPress plugin used to let sellers/vendors manage WooCommerce storefront operations (products, articles, and related workflows) from a frontend dashboard.

Wordfence reports a High-severity Insecure Direct Object Reference (IDOR) where multiple AJAX actions (including wcfm_modify_order_status, delete_wcfm_article, delete_wcfm_product, and the article management controller) do not sufficiently validate user-supplied object IDs. As a result, an authenticated attacker with Vendor-level access and above can modify the status of any order and delete or modify any post/product/page regardless of ownership.

This is a classic “tenant boundary collapse” for multi-vendor ecommerce: marketplace roles are often broadly granted, and IDORs in management endpoints can become direct paths to fraud (order manipulation), defacement, or destructive business-impacting changes.

Who is impacted

• WordPress sites running WCFM – Frontend Manager for WooCommerce <= 6.7.25.
• Deployments that grant untrusted users Vendor (or higher) access, including multi-vendor marketplace setups.

What to do now

• Follow vendor remediation guidance and apply the update:

  • "Remediation Update to version 6.7.26, or a newer patched version"

• Inventory where wc-frontend-manager is deployed (including staging/admin clones) and confirm no instances remain on the affected range.
• Treat this as an authorization-boundary incident class: review who currently has Vendor (or higher) roles and reduce/segment access where feasible.
• If compromise is suspected, review logs/audit trails for unexpected use of the impacted AJAX actions and for anomalous order-status changes or bulk deletions/edits of posts/products/pages.