CVE-2026-2554 Overview
CVE-2026-2554 is an Insecure Direct Object Reference (IDOR) vulnerability in the WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress. The flaw affects all versions up to and including 6.7.25. The plugin fails to validate the customerid user-controlled key in the wcfm_delete_wcfm_customer function. Authenticated attackers with Vendor-level access or higher can delete arbitrary users on the WordPress site, including Administrators. The vulnerability is tracked under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Vendor-level users can delete any account on the WordPress installation, including Administrator accounts, leading to integrity and availability loss across the storefront.
Affected Products
- WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (WordPress plugin)
- All plugin versions up to and including 6.7.25
- Fixed in changeset 3483695 (post-6.7.25 release)
Discovery Timeline
- 2026-05-02 - CVE-2026-2554 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-2554
Vulnerability Analysis
The WCFM plugin extends WooCommerce with multivendor functionality, allowing vendors to manage their own storefronts and customer relationships from the front end. The wcfm_delete_wcfm_customer action is intended to allow vendors to remove customers associated with their own store. The implementation in class-wcfm-customer.php accepts a customerid parameter from the request and processes the deletion without verifying that the supplied identifier belongs to a customer the requesting vendor has authority over.
Because the handler trusts the client-supplied identifier, an authenticated vendor can substitute any user ID, including the ID of a site Administrator. The deletion proceeds against the WordPress users table, removing the targeted account. This produces an integrity and availability impact on the site, since removing administrators disrupts site management and content ownership.
Root Cause
The root cause is missing authorization on a user-controlled key. The wcfm_delete_wcfm_customer callback validates that the request originates from an authenticated vendor but does not validate that the customerid value maps to a user the vendor is permitted to manage. This pattern is the classic IDOR weakness described in CWE-639.
Attack Vector
Exploitation requires an authenticated session at Vendor role or above. The attacker submits a crafted request to the WCFM customer deletion endpoint with the customerid parameter set to the WordPress user ID of the target account. No user interaction is required, and the request is delivered over the network to the affected site. See the vulnerable code path in the WordPress Plugin Code Reference and the corrective WordPress Changeset Update.
No public proof-of-concept exploit has been published. Refer to the Wordfence Vulnerability Report for additional analysis.
Detection Methods for CVE-2026-2554
Indicators of Compromise
- Unexpected deletion of Administrator or Editor accounts in the WordPress users table.
- POST requests to the WCFM AJAX endpoint invoking action wcfm_delete_wcfm_customer with customerid values that do not correspond to the requesting vendor's customer base.
- Audit log gaps where high-privilege user records disappear without a corresponding admin-initiated action.
Detection Strategies
- Monitor web server logs for HTTP requests containing the parameter string wcfm_delete_wcfm_customer originating from non-administrator sessions.
- Compare the WordPress wp_users table against periodic backups to surface unauthorized deletions.
- Enable a WordPress activity log plugin to record delete_user events and correlate them with the originating request and authenticated role.
Monitoring Recommendations
- Alert when any non-administrator role triggers a delete_user capability check inside WordPress.
- Track changes to the count of users assigned the administrator role and alert on any decrease.
- Forward WordPress and WooCommerce logs to a centralized SIEM or data lake for retention and correlation with vendor account activity.
How to Mitigate CVE-2026-2554
Immediate Actions Required
- Update the WCFM – Frontend Manager plugin to a version higher than 6.7.25 that includes the fix from changeset 3483695.
- Audit the WordPress users table for unexpected account deletions and restore from backup where required.
- Review existing Vendor accounts and remove any that are inactive, unrecognized, or unnecessary.
Patch Information
The vendor addressed the missing authorization check in WordPress Changeset 3483695, which adds validation against the user-supplied customerid before deletion proceeds. Site operators should upgrade through the WordPress plugin updater or by deploying the patched release directly.
Workarounds
- Restrict creation of new Vendor accounts and require manual approval until the patch is applied.
- Place a Web Application Firewall rule in front of the site that blocks requests containing action=wcfm_delete_wcfm_customer from authenticated sessions that are not administrators.
- Temporarily deactivate the WCFM plugin if vendor self-service is not business-critical until the upgrade is complete.
# Configuration example: temporarily block the vulnerable action via .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (^|&)action=wcfm_delete_wcfm_customer(&|$) [NC]
RewriteRule ^ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
