CVE-2026-3477 Overview
The PZ Frontend Manager plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the dataType parameter is set to delete, the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions.
Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight in the vulnerable function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint.
Critical Impact
Authenticated attackers with minimal privileges (Subscriber-level) can delete any WordPress user account, including administrator accounts, potentially causing complete site takeover or denial of service.
Affected Products
- PZ Frontend Manager plugin for WordPress version 1.0.6 and earlier
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-3477 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-3477
Vulnerability Analysis
This vulnerability represents a classic Missing Authorization flaw where security controls were inconsistently applied across similar functions. The pzfm_user_request_action_callback() function processes AJAX requests for user management operations but fails to implement the same authorization checks present in the analogous pzfm_remove_item_callback() function.
The vulnerable function is exposed through WordPress's AJAX handler system, making it accessible to any authenticated user. Without capability checks, the function does not verify whether the requesting user has administrative privileges required to delete users. Without nonce verification, the function also lacks CSRF protection, though the primary concern here is the missing authorization check.
The function processes a dataType parameter that determines the operation type, and when set to delete, it passes user IDs directly to WordPress's wp_delete_user() function. This allows any authenticated user to delete arbitrary accounts, including administrator accounts, by crafting appropriate AJAX requests.
Root Cause
The root cause is an oversight in the plugin's authorization implementation. While the developers correctly implemented capability checks in the pzfm_remove_item_callback() function using pzfm_can_delete_user(), they failed to apply the same protection to the pzfm_user_request_action_callback() function. This inconsistency allowed a code path that performs the same sensitive operation (user deletion) to bypass security controls entirely.
Attack Vector
The attack is network-based and requires minimal privileges. An attacker needs only a valid WordPress account with Subscriber-level access. The attack flow involves:
- Authenticating to WordPress with any valid user account (including the lowest-privilege Subscriber role)
- Identifying target user IDs to delete (administrators can often be identified through author pages or enumeration)
- Sending a crafted AJAX POST request to /wp-admin/admin-ajax.php with:
- Action parameter: pzfm_user_request_action
- dataType parameter: delete
- User ID(s) to delete
- The server processes the request without authorization checks and deletes the specified users
The vulnerability mechanism involves the pzfm_user_request_action_callback() function directly calling wp_delete_user() without first verifying that the requesting user has the delete_users capability. For full technical details, see the WordPress Plugin Code Reference and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-3477
Indicators of Compromise
- Unexpected user account deletions, particularly administrator accounts, with no corresponding administrative activity
- AJAX requests to wp-admin/admin-ajax.php with action pzfm_user_request_action from non-administrator users
- Sudden loss of user accounts followed by inability to access WordPress administrative functions
- Web server logs showing POST requests to the AJAX endpoint with dataType=delete parameters
Detection Strategies
- Monitor WordPress activity logs for user deletion events, especially when not correlated with administrator login sessions
- Implement web application firewall (WAF) rules to alert on suspicious AJAX requests containing user deletion parameters
- Review access logs for patterns of requests to the pzfm_user_request_action endpoint from non-administrator IP addresses or sessions
- Deploy file integrity monitoring on user database tables to detect unexpected modifications
Monitoring Recommendations
- Enable WordPress audit logging plugins to capture all user management operations with full context
- Configure alerts for any user deletion events that occur outside of normal administrative workflows
- Monitor for new user registrations followed immediately by deletion requests (potential attack pattern)
- Implement rate limiting on AJAX endpoints to slow down potential mass-deletion attacks
How to Mitigate CVE-2026-3477
Immediate Actions Required
- Update the PZ Frontend Manager plugin to a patched version when available
- If no patch is available, immediately deactivate and remove the PZ Frontend Manager plugin
- Audit WordPress user accounts for any unexpected deletions or modifications
- Review web server access logs for potential exploitation attempts against the vulnerable endpoint
- Restore any deleted user accounts from backup if exploitation has occurred
Patch Information
No vendor patch has been confirmed at this time. Check the WordPress plugin repository for updated versions of PZ Frontend Manager that address this vulnerability. Monitor the Wordfence Vulnerability Report for patch availability updates.
Workarounds
- Deactivate the PZ Frontend Manager plugin until a patched version is available
- Implement a web application firewall rule to block requests to the vulnerable AJAX action endpoint
- Restrict user registration if possible to limit the pool of potential attackers
- Consider implementing custom code to add capability checks to the vulnerable function (advanced users only)
# Workaround: Block access to vulnerable AJAX action via .htaccess
# Add to WordPress .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=pzfm_user_request_action [NC,OR]
RewriteCond %{REQUEST_BODY} action=pzfm_user_request_action [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
