Introduction
A missing ownership check in one of WordPress's most popular multivendor marketplace plugins means that any registered vendor can modify orders, delete products, and trash pages belonging to other vendors or even the store administrator. For the 20,000+ WooCommerce marketplaces relying on WCFM Frontend Manager to power their vendor dashboards, this is a direct threat to data integrity and business continuity.
WCFM Frontend Manager, developed by WC Lovers, is a widely used plugin that transforms a standard WooCommerce store into a full multivendor marketplace. It provides vendor dashboards for managing products, orders, bookings, and subscriptions. The plugin competes in the same space as Dokan and WC Vendors, and its 20,000+ active installations represent a significant share of the WordPress multivendor ecosystem.
Technical Information
CVE-2026-4896 is classified under CWE-639: Authorization Bypass Through User-Controlled Key. The root cause is straightforward: several AJAX handlers in the plugin accept user supplied object IDs (order IDs, product IDs, article IDs) and act on them after verifying only that the request includes a valid nonce and that the user holds a vendor level role. None of these handlers verify that the requesting vendor actually owns the resource they are attempting to modify or delete.
Affected Endpoints
The following AJAX actions are vulnerable:
| Endpoint Action | Nonce Check | Capability Check | Ownership Validation | Impact |
|---|---|---|---|---|
wcfm_modify_order_status | Yes | Yes | No | Updates any order status and fires WooCommerce hooks |
delete_wcfm_article | Yes | Yes | No | Trashes or deletes any post ID |
delete_wcfm_product | Yes | Yes | No | Trashes or deletes any product ID |
The article management controller (class-wcfm-article.php) is also affected, allowing unauthorized article editing.
Order Status Manipulation
The wcfm_modify_order_status function reads order_id and order_status from the POST request. After verifying the wcfm_ajax_nonce and checking if the user holds roles such as wcfm_vendor or manage_woocommerce, the code directly instantiates the order object using wc_get_order( $order_id ) and calls $order->update_status(). No check is performed to confirm the vendor is associated with the order. This means Vendor A can change the status of an order that belongs to Vendor B, or even an order managed directly by the store administrator.
Arbitrary Content Deletion
The delete_wcfm_article and delete_wcfm_product functions accept articleid and proid parameters respectively. After passing the initial nonce and role checks, the functions execute wp_delete_post() or wp_trash_post() on the provided IDs. Because WordPress post IDs are sequential integers, a malicious vendor could iterate through IDs and delete products belonging to the marketplace owner or competing vendors. The same pattern applies to the article management controller in class-wcfm-article.php, which handles article editing without ownership validation.
Attack Flow
- An attacker registers as a vendor on a WCFM powered marketplace (or compromises an existing vendor account).
- The attacker authenticates and obtains a valid
wcfm_ajax_noncefrom the vendor dashboard. - The attacker crafts a POST request to the
wcfm_modify_order_statusAJAX action, supplying an arbitraryorder_id(for example, an order belonging to a competing vendor) and a desiredorder_status. - The server validates the nonce and confirms the user has a vendor role, then processes the status change without verifying ownership.
- The attacker repeats this process for
delete_wcfm_productordelete_wcfm_article, supplying sequential post IDs to trash or permanently delete products, articles, or even WordPress pages.
The attack requires no user interaction and can be fully automated once the attacker has vendor credentials and a valid nonce.
Patch Information
The vulnerability was patched in WCFM Frontend Manager version 6.7.26, released on March 16, 2026 (changeset 3483695 in the WordPress plugin repository). The fix addresses the core problem by introducing ownership validation using the function wcfm_user_can_perform_request() across all affected code paths. This function checks whether the currently authenticated user is either an administrator or the actual author/owner of the target post or order. If the check fails, the request is immediately terminated with an error.
Fix in delete_wcfm_product (class-wcfm-ajax.php)
In the vulnerable version, after extracting the proid parameter, the function jumped straight to deleting the product. Version 6.7.26 adds a multi step guard. First, it verifies the product actually exists by calling wc_get_product(). Then it retrieves the post_author via get_post_field('post_author', $product_id) and passes it through the new ownership gate:
$resource_owner_id = get_post_field('post_author', $product_id); if (!wcfm_user_can_perform_request($resource_owner_id, 'product_delete')) { wp_send_json_error(esc_html__('You don\'t have permission to do this.', 'woocommerce')); }
This blocks any vendor from deleting products that belong to another vendor or to the store admin.
Fix in wcfm_modify_order_status (class-wcfm-ajax.php)
Previously, a vendor could supply any arbitrary order_id and change its status. The patched code now validates the order object and then calls $WCFM->wcfm_vendor_support->wcfm_is_order_for_vendor($order_id) to confirm the order is actually associated with the current vendor:
$order = wc_get_order($order_id); if (!is_a($order, 'WC_Order') || !$WCFM->wcfm_vendor_support->wcfm_is_order_for_vendor($order_id)) { wp_send_json_error(__('Invalid Order', 'wc-frontend-manager')); }
Additionally, the handler now validates the supplied status string using wc_is_order_status() before applying it.
Fix in delete_wcfm_article and the Article Management Controller (class-wcfm-article.php)
The article deletion handler received the same treatment. After extracting the article ID, the patched code fetches the post object, confirms it is actually a post post type (not a page or product), then checks the post_author against the current user:
$wcfm_article = get_post($articleid); if (!$wcfm_article || $wcfm_article->post_type !== 'post') { wp_send_json_error(__('Invalid Article.', 'wc-frontend-manager')); } $resource_owner_id = $wcfm_article->post_author; if (!wcfm_user_can_perform_request($resource_owner_id, 'article_delete')) { wp_send_json_error(esc_html__('You don\'t have permission to do this.', 'woocommerce')); }
The same pattern was applied to the wcfm-articles-manage AJAX controller, which handles article editing. The context tag article_edit is used instead of article_delete, but the validation mechanism is identical: confirming the requesting user is the author of the resource.
In summary, the fix is a textbook IDOR remediation. Every handler that acts on a user supplied object ID now confirms the requesting user is the legitimate owner of that object before proceeding. The patch was committed by the plugin author (wclovers) and is available by updating to version 6.7.26 or later.
Affected Systems and Versions
| Version Range | Status | Required Action |
|---|---|---|
| All versions from 0 through 6.7.25 | Vulnerable | IDOR on multiple AJAX actions; update immediately |
| 6.7.26 and newer | Patched | Access control restored with ownership validation |
The vulnerability affects any WordPress installation running the WCFM Frontend Manager for WooCommerce plugin (slug: wc-frontend-manager) at version 6.7.25 or earlier. The plugin must be active, and the attacker needs at least Vendor level authentication. Sites using WCFM in combination with WooCommerce Bookings, Subscriptions, or Listings extensions are equally affected, as the vulnerable code resides in the core WCFM plugin.
Vendor Security History
WC Lovers has demonstrated responsiveness in patching security issues, but the pattern of authorization related vulnerabilities in WCFM is notable. Version 6.7.26, the same release that patches CVE-2026-4896, also addresses an Authenticated (Shop Manager+) Arbitrary Options Update vulnerability and a separate Broken Access Control vulnerability. Prior to that, version 6.7.25 addressed a Missing Authorization flaw tracked as CVE-2025-54004. This recurring pattern of access control gaps suggests that the plugin's complex role management system (supporting store admins, vendors, shop managers, and delivery personnel) has historically lacked a centralized authorization framework. The introduction of wcfm_user_can_perform_request() in version 6.7.26 appears to be a step toward addressing this architectural gap. Marketplace administrators should treat WCFM updates as high priority given this history.
References
- Wordfence Threat Intel: WCFM Frontend Manager <= 6.7.25 IDOR Vulnerability
- NVD: CVE-2026-4896 Detail
- CVE Record: CVE-2026-4896
- Vulnerable Source: class-wcfm-ajax.php (tag 6.7.24)
- Vulnerable Source: class-wcfm-article.php (tag 6.7.24)
- Patched Source: class-wcfm-ajax.php (tag 6.7.26)
- Patched Source: class-wcfm-article.php (tag 6.7.26)
- WordPress Plugin Page: WCFM Frontend Manager
- Wordfence: WCFM Frontend Manager <= 6.7.24 Missing Authorization (CVE-2025-54004)
