CVE-2026-2554
Published: 02 May 2026
Summary
CVE-2026-2554 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to customer objects via the customerid parameter, directly preventing IDOR-based unauthorized user deletions.
Validates the user-controlled customerid input to ensure it only allows deletion of authorized customers, addressing the missing validation in wcfm_delete_wcfm_customer.
Identifies and remediates the specific IDOR flaw through timely patching of the vulnerable plugin versions up to 6.7.25.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR flaw directly allows authenticated low-privileged users to delete arbitrary accounts (including high-privileged ones) without authorization, mapping exactly to Account Access Removal.
NVD Description
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the…
more
'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
Deeper analysisAI
CVE-2026-2554 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress in all versions up to and including 6.7.25. The flaw arises in the 'wcfm_delete_wcfm_customer' function due to missing validation on the user-controlled 'customerid' parameter, allowing improper access to delete objects without authorization checks. Published on 2026-05-02, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity with significant integrity and availability impacts.
Authenticated attackers with Vendor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the 'customerid' parameter, they can delete arbitrary users, including Administrators, potentially disrupting site operations, escalating privileges indirectly, or enabling further compromise through account removal.
Advisories and plugin references point to mitigation via patching. The Wordfence threat intelligence page details the vulnerability (ID 21e397a4-0b32-4b13-a46b-c465acea0796), and WordPress plugin trac shows the vulnerable code at line 386 in class-wcfm-customer.php (version 6.7.24), with changeset 3483695 indicating the fix applied in subsequent releases beyond 6.7.25. Security practitioners should update the plugin immediately and review access controls for vendor roles.
Details
- CWE(s)