WCFM Frontend Manager: Critical IDOR Allows Admin Deletion

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
WCFM Frontend Manager: Critical IDOR Allows Admin Deletion

The National Vulnerability Database reports a high-severity Insecure Direct Object Reference (IDOR) vulnerability, CVE-2026-2554, affecting all versions up to and including 6.7.25 of the WCFM – Frontend Manager for WooCommerce and its Bookings Subscription Listings Compatible plugin for WordPress. The flaw, rated 8.1 CVSS (High), stems from insufficient validation on the customerid user-controlled key within the wcfm_delete_wcfm_customer function.

This vulnerability enables authenticated attackers with Vendor-level access or higher to delete arbitrary users. The impact is severe, allowing malicious vendors to purge even Administrator accounts from the WordPress site. This isn’t just about data loss; it’s about complete administrative disruption and potential site takeover through account manipulation.

From an attacker’s perspective, this is a low-hanging fruit with high payoff. A compromised vendor account, or even an insider threat, can leverage this with minimal technical skill. Defenders need to recognize that once an attacker gains even a low-privileged foothold, the blast radius can expand rapidly if IDORs like this aren’t mitigated.

What This Means For You

  • If your organization uses WCFM – Frontend Manager for WooCommerce, you need to prioritize patching immediately. This isn't a theoretical risk; it's a direct path for a malicious vendor, or an attacker who compromises a vendor account, to wipe out your administrative structure. Audit your WordPress user logs for any suspicious user deletion activities, especially from vendor accounts. Restrict plugin access to the absolute minimum necessary roles.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1207 Rogue Security Product Defense Evasion T1531 Account Access Removal Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1531 Impact

WCFM Customer Deletion via IDOR - CVE-2026-2554

Sigma YAML — free preview 
title: WCFM Customer Deletion via IDOR - CVE-2026-2554
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects the specific WCFM Frontend Manager IDOR vulnerability (CVE-2026-2554) where an attacker with vendor-level access can delete arbitrary users by sending a POST request to 'admin-ajax.php' with the action 'wcfm_delete_wcfm_customer' and a user-controlled 'customerid'. This rule specifically targets the vulnerable endpoint and parameters used in the exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-2554/
tags:
  - attack.impact
  - attack.t1531
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'action=wcfm_delete_wcfm_customer'
      cs-uri-query|contains:
          - 'customerid='
  selection_base:
      sc-status:
          - 200
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-2554 IDOR WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions <= 6.7.25
CVE-2026-2554 IDOR Vulnerable function: 'wcfm_delete_wcfm_customer'
CVE-2026-2554 IDOR Vulnerable parameter: 'customerid' (missing validation)
CVE-2026-2554 Privilege Escalation Authenticated attackers with Vendor-level access can delete arbitrary users, including Administrators.

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7632: SQL Injection in Online Hospital Management System

CVE-2026-7632 — A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7631 — Code-Projects Online Hospital Management System Vulnerability

CVE-2026-7631 — A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler....

vulnerabilityCVEmedium-severitycwe-266cwe-285
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7630: InnoShop Improper Authentication Exposes Installation Endpoint

CVE-2026-7630 — A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma