Vulnerabilities and security researches forwc-frontend-manager wc-frontend-manager
Direction: ascendingJun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2022-4938
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Apr 05, 2023
- Research Description
- The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
- Affected versions
-
max 6.6.0.
- Status
-
vulnerable
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2022-4937
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Apr 05, 2023
- Research Description
- The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected.
- Affected versions
-
max 6.6.1.
- Status
-
vulnerable
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2024-29929
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Mar 27, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM – Frontend Manager for WooCommerce allows Stored XSS.This issue affects WCFM – Frontend Manager for WooCommerce: from n/a through 6.7.8.
- Affected versions
-
max 6.7.9.
- Status
-
vulnerable
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2021-24835
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Nov 08, 2021
- Research Description
- The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks
- Affected versions
-
max 6.6.2.
- Status
-
vulnerable
Sep 26, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2024-8290
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Sep 25, 2024
- Research Description
- The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
- Affected versions
-
max 6.7.13.
- Status
-
vulnerable
Jul 12, 2025
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2025-3780
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Jul 09, 2025
- Research Description
- The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
- Affected versions
-
max 6.7.17.
- Status
-
vulnerable
Jan 11, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2025-54004
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Dec 16, 2025
- Research Description
- Missing Authorization vulnerability in WC Lovers WCFM – Frontend Manager for WooCommerce wc-frontend-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM – Frontend Manager for WooCommerce: from n/a through <= 6.7.21.
- Affected versions
-
max 6.7.21.
- Status
-
vulnerable
Apr 13, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2026-4896
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Apr 04, 2026
- Research Description
- The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
- Affected versions
-
max 6.7.26.
- Status
-
vulnerable
Apr 18, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2026-0845
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- Feb 10, 2026
- Research Description
- The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
- Affected versions
-
max 6.7.25.
- Status
-
vulnerable
May 03, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible # CVE-2026-2554
- CVE, Research URL
- Home page URL
- Application
-
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
- Date
- May 02, 2026
- Research Description
- The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
- Affected versions
-
max 6.7.26.
- Status
-
vulnerable