Vulnerabilities and security researches forwc-frontend-manager wc-frontend-manager

Jul 12, 2025

CVE, Research URL: CVE-2025-3780
Home page URL: Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Application: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Date: Jul 09, 2025
Research Description: The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
Affected versions: Min -, max -.
Status: vulnerable

Sep 26, 2024

CVE, Research URL: CVE-2024-8290
Home page URL: Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Application: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Date: Sep 25, 2024
Research Description: The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
Affected versions: Min -, max -.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2022-4938
Home page URL: Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Application: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Date: Apr 05, 2023
Research Description: The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-4937
Home page URL: Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Application: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Date: Apr 05, 2023
Research Description: The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-29929
Home page URL: Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Application: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Date: Mar 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM – Frontend Manager for WooCommerce allows Stored XSS.This issue affects WCFM – Frontend Manager for WooCommerce: from n/a through 6.7.8.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24835
Home page URL: Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Application: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Date: Nov 08, 2021
Research Description: The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks
Affected versions: Min -, max -.
Status: vulnerable