Cyber Resilience

CVE-2026-2554

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0033 24.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2554 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2554 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress in all versions up to and including 6.7.25. The flaw arises in the 'wcfm_delete_wcfm_customer' function due to missing validation on the user-controlled 'customerid' parameter, allowing improper access to delete objects without authorization checks. Published on 2026-05-02, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity with significant integrity and availability impacts.

Authenticated attackers with Vendor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the 'customerid' parameter, they can delete arbitrary users, including Administrators, potentially disrupting site operations, escalating privileges indirectly, or enabling further compromise through account removal.

Advisories and plugin references point to mitigation via patching. The Wordfence threat intelligence page details the vulnerability (ID 21e397a4-0b32-4b13-a46b-c465acea0796), and WordPress plugin trac shows the vulnerable code at line 386 in class-wcfm-customer.php (version 6.7.24), with changeset 3483695 indicating the fix applied in subsequent releases beyond 6.7.25. Security practitioners should update the plugin immediately and review access controls for vendor roles.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the…

more

'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

The IDOR flaw directly allows authenticated low-privileged users to delete arbitrary accounts (including high-privileged ones) without authorization, mapping exactly to Account Access Removal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33053Shared CWE-639
CVE-2026-3453Shared CWE-639
CVE-2026-30945Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2026-7491Shared CWE-639
CVE-2026-28216Shared CWE-639
CVE-2025-12008Shared CWE-639
CVE-2026-35183Shared CWE-639
CVE-2026-0020Shared CWE-639
CVE-2025-14459Shared CWE-639

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to customer objects via the customerid parameter, directly preventing IDOR-based unauthorized user deletions.

prevent

Validates the user-controlled customerid input to ensure it only allows deletion of authorized customers, addressing the missing validation in wcfm_delete_wcfm_customer.

prevent

Identifies and remediates the specific IDOR flaw through timely patching of the vulnerable plugin versions up to 6.7.25.

References