Cyber Resilience

CVE-2026-0845

High

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0845 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-0845 is a vulnerability in the WCFM – Frontend Manager for WooCommerce plugin, along with the Bookings Subscription Listings Compatible plugin, for WordPress. It stems from a missing capability check in the WCFM_Settings_Controller::processing function, affecting all versions up to and including 6.7.24. This flaw, classified under CWE-862 (Missing Authorization), enables unauthorized modification of data and can lead to privilege escalation. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-10.

Authenticated attackers with Shop Manager-level access or higher can exploit this issue over the network with low complexity and no user interaction required. By leveraging the vulnerable function, they can update arbitrary WordPress site options, such as changing the default user role for registrations to administrator and enabling user registration. This allows attackers to create administrative accounts, achieving full site compromise.

References point to the vulnerable code in wcfm-controller-settings.php at line 150 and class-wcfm-ajax.php at line 285 in version 6.7.24, with a patch applied in changeset 3455819 to the trunk. A Wordfence threat intelligence advisory provides further details on the issue.

EU & UK References

Vulnerability details

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in…

more

all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization in settings controller directly enables authenticated privilege escalation via arbitrary option modification (e.g., default role changes).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2025-49723Shared CWE-862
CVE-2024-12171Shared CWE-862
CVE-2025-7695Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on functions such as WCFM_Settings_Controller::processing before permitting modification of site options.

prevent

Restricts the ability to change configuration settings (arbitrary WordPress options) to only explicitly authorized principals.

prevent

Limits the privileges granted to Shop Manager accounts so that even an authenticated user cannot reach administrative option-update paths.

References