CVE-2026-0845 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2026-0845?

CVE-2026-0845 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated attackers with Shop Manager or higher privileges in WordPress to modify arbitrary site options due to missing capability checks. Attackers can change the default user registration role to administrator and enable user registration, gaining full administrative access. All WordPress sites using vulnerable versions of the WCFM plugin are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with Shop Manager or higher privileges in WordPress to modify arbitrary site options due to missing capability checks. Attackers can change the default user registration role to administrator and enable user registration, gaining full administrative access. All WordPress sites using vulnerable versions of the WCFM plugin are affected.

💻 Affected Systems

Products:

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Versions: All versions up to and including 6.7.24

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin and at least one user with Shop Manager or higher privileges.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.

🟠

Likely Case

Attackers with existing Shop Manager access escalate to administrator, gaining full control over the WordPress installation and its data.

🟢

If Mitigated

Limited impact if proper access controls, monitoring, and least privilege principles are enforced, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with Shop Manager privileges or higher. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.7.25 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3455819/wc-frontend-manager/trunk/controllers/settings/wcfm-controller-settings.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WCFM – Frontend Manager for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 6.7.25+. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily disable or remove the WCFM plugin until patched

wp plugin deactivate wc-frontend-manager
wp plugin delete wc-frontend-manager

Restrict user roles

linux

Temporarily remove Shop Manager and higher privileges from untrusted users

wp user list --role=shop_manager --field=ID | xargs wp user set-role subscriber

🧯 If You Can't Patch

Immediately audit and restrict all user accounts with Shop Manager or higher privileges to only trusted personnel.
Implement additional monitoring for user role changes and option modifications in WordPress.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins, or run: wp plugin get wc-frontend-manager --field=version

Check Version:

wp plugin get wc-frontend-manager --field=version

Verify Fix Applied:

Confirm the plugin version is 6.7.25 or higher using the same method, and test that Shop Manager users cannot modify site options they shouldn't.

📡 Detection & Monitoring

Log Indicators:

WordPress option updates from non-admin users
User role changes from default_role modifications
wp_options table modifications via WCFM endpoints

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=wcfm_ajax_controller and controller=settings

SIEM Query:

source="wordpress" AND (event="option_update" OR event="user_role_change") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2026-0845

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.01% exploit probability (2th percentile)

Published: February 10, 2026

Last Updated: February 10, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0845, you might also want to check these: