PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10041 wclovers CVE debrief

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This vulnerability allows authenticated attackers with subscriber-level access and above to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors. The vulnerability has a CVSS score of 4.3 and is considered medium severity.

Vendor
wclovers
Product
WCFM – Frontend Manager for WooCommerce
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Authenticated attackers with subscriber-level access and above may be able to exploit this vulnerability. Operators of WooCommerce sites using the WCFM – Frontend Manager plugin should review and verify the version of the plugin. Security teams should prioritize patching and implement compensating controls to detect and respond to potential exploitation attempts.

Technical summary

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.

Defensive priority

Medium priority given the CVSS score of 4.3 and the potential impact of the vulnerability.

Recommended defensive actions

  • Inventory and verify the version of the WCFM – Frontend Manager for WooCommerce plugin for WordPress.
  • Apply patches or updates to address the vulnerability.
  • Implement compensating controls, such as monitoring and exception tracking, to detect and respond to potential exploitation attempts.
  • Restrict access to sensitive areas of the plugin to authorized users only.
  • Review and verify the configuration of the plugin to prevent exploitation.
  • Monitor for suspicious activity and implement additional security measures as needed.
  • Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved.

Evidence notes

The CVE record was published on 2026-07-11T07:16:44.783Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to CVE and NVD details. Defenders should verify vendor patch guidance and implement compensating controls.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:44.783Z and has not been modified since then.