PatchSiren cyber security CVE debrief
CVE-2026-10041 wclovers CVE debrief
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This vulnerability allows authenticated attackers with subscriber-level access and above to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors. The vulnerability has a CVSS score of 4.3 and is considered medium severity.
- Vendor
- wclovers
- Product
- WCFM – Frontend Manager for WooCommerce
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Authenticated attackers with subscriber-level access and above may be able to exploit this vulnerability. Operators of WooCommerce sites using the WCFM – Frontend Manager plugin should review and verify the version of the plugin. Security teams should prioritize patching and implement compensating controls to detect and respond to potential exploitation attempts.
Technical summary
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.
Defensive priority
Medium priority given the CVSS score of 4.3 and the potential impact of the vulnerability.
Recommended defensive actions
- Inventory and verify the version of the WCFM – Frontend Manager for WooCommerce plugin for WordPress.
- Apply patches or updates to address the vulnerability.
- Implement compensating controls, such as monitoring and exception tracking, to detect and respond to potential exploitation attempts.
- Restrict access to sensitive areas of the plugin to authorized users only.
- Review and verify the configuration of the plugin to prevent exploitation.
- Monitor for suspicious activity and implement additional security measures as needed.
- Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved.
Evidence notes
The CVE record was published on 2026-07-11T07:16:44.783Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to CVE and NVD details. Defenders should verify vendor patch guidance and implement compensating controls.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:44.783Z and has not been modified since then.