WCFM IDOR lets vendors delete any WordPress user, including admins
TL;DR - WCFM - Frontend Manager for WooCommerce <= 6.7.25: the wcfm_delete_wcfm_customer action accepts a caller-supplied customerid and deletes the corresponding user with no check that the caller is authorised to act on that target. Any Vendor-level (or higher) account can delete any user on the site, including Administrator accounts.
What happened
WCFM - Frontend Manager for WooCommerce is a WordPress plugin that gives vendors a frontend management dashboard for WooCommerce multi-vendor marketplaces.
CVE-2026-2554 is a textbook Insecure Direct Object Reference (IDOR). The wcfm_delete_wcfm_customer action takes a customerid from the request and deletes the corresponding account. There is no check that the calling vendor owns or is otherwise authorised to touch that user. Supply an administrator's user ID and it gets deleted.
| Item | Detail |
|---|---|
| Affected component | WCFM - Frontend Manager for WooCommerce (WordPress) |
| Affected versions | <= 6.7.25 |
| Vulnerable action | wcfm_delete_wcfm_customer via customerid parameter |
| Minimum privilege required | Vendor (or equivalent mapped capability) |
| Impact | Arbitrary user deletion, including Administrator accounts |
| Severity | CVSS 3.1 8.1 (High) |
Multi-vendor marketplaces treat vendor accounts as semi-trusted, internet-facing identities - created at scale, often self-serve, prone to credential reuse. A single compromised vendor account is all an attacker needs to wipe Administrator accounts off the site.
Who is impacted
- WordPress sites running
WCFM - Frontend Manager for WooCommerce(slugwc-frontend-manager) at versions<= 6.7.25. - Any site where accounts mapped to the WCFM Vendor capability can reach WCFM management actions.
- Highest risk: marketplaces with many vendors, self-registration enabled, or where vendor accounts are routinely created and abandoned. Credential reuse and account takeover are common in this segment.
What to do now
- Apply the latest patched release from the plugin author immediately.
- Inventory production WordPress instances for the plugin slug
wc-frontend-managerand confirm no site is running<= 6.7.25. - Treat this as a destructive authorisation failure:
- Review WordPress audit trails and server logs for unexpected user deletions.
- Confirm all Administrator accounts and their recovery email addresses are intact.
- Check for any Vendor accounts showing signs of takeover: new sessions, unfamiliar IPs, administrative activity immediately following vendor logins.
- If compromise is suspected, rotate credentials for affected accounts and review Vendor account access thoroughly before restoring normal operations.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.