CVE-2026-0845
Published: 10 February 2026
Summary
CVE-2026-0845 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2026-0845 is a vulnerability in the WCFM – Frontend Manager for WooCommerce plugin, along with the Bookings Subscription Listings Compatible plugin, for WordPress. It stems from a missing capability check in the WCFM_Settings_Controller::processing function, affecting all versions up to and including 6.7.24. This flaw, classified under CWE-862 (Missing Authorization), enables unauthorized modification of data and can lead to privilege escalation. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-10.
Authenticated attackers with Shop Manager-level access or higher can exploit this issue over the network with low complexity and no user interaction required. By leveraging the vulnerable function, they can update arbitrary WordPress site options, such as changing the default user role for registrations to administrator and enabling user registration. This allows attackers to create administrative accounts, achieving full site compromise.
References point to the vulnerable code in wcfm-controller-settings.php at line 150 and class-wcfm-ajax.php at line 285 in version 6.7.24, with a patch applied in changeset 3455819 to the trunk. A Wordfence threat intelligence advisory provides further details on the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6468
Vulnerability details
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in…
more
all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in settings controller directly enables authenticated privilege escalation via arbitrary option modification (e.g., default role changes).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on functions such as WCFM_Settings_Controller::processing before permitting modification of site options.
Restricts the ability to change configuration settings (arbitrary WordPress options) to only explicitly authorized principals.
Limits the privileges granted to Shop Manager accounts so that even an authenticated user cannot reach administrative option-update paths.