WordPress WCFM Plugin CVE-2026-4896 Exposes Sites to Unauthorized Data Access
Summary
CVE-2026-4896 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the WCFM Frontend Manager for WooCommerce plugin for WordPress, affecting all versions up to the latest. The flaw allows authenticated attackers to access and modify data belonging to other users. CVSS score is 8.1.
Threat Analysis
CVE-2026-4896 is an Insecure Direct Object Reference (IDOR) vulnerability in the WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress, with a CVSS score of 8.1. The vulnerability affects all versions up to and including version 6.7.24.
Affected Products: WCFM Frontend Manager for WooCommerce plugin for WordPress, all versions up to 6.7.24.
Impact: Authenticated attackers can exploit this flaw to access and modify data belonging to other users, potentially exposing sensitive customer and order information on WooCommerce stores.
Recommended Mitigations: Update the WCFM Frontend Manager plugin to the latest patched version immediately. WordPress site administrators should audit plugin versions and apply all available security updates. Review access logs for signs of unauthorized data access.