CVE-2026-4896
Published: 04 April 2026
Summary
CVE-2026-4896 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations on logical access to resources like orders, products, and posts, preventing authenticated vendors from modifying or deleting objects regardless of ownership via unchecked object IDs.
SI-10 requires validation of user-supplied object IDs in AJAX actions such as wcfm_modify_order_status and delete_wcfm_product, directly addressing the missing checks that enable IDOR exploitation.
AC-6 applies least privilege to restrict Vendor-level users to only their own orders, products, and posts, mitigating unauthorized access even if enforcement mechanisms have gaps.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing WordPress plugin enables network exploitation (T1190) leading to unauthorized stored data modification (order status, posts/products/pages) and data destruction (deletions).
NVD Description
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and…
more
the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
Deeper analysisAI
CVE-2026-4896 is an Insecure Direct Object Reference vulnerability (CWE-639) in the WCFM – Frontend Manager for WooCommerce plugin, along with the Bookings Subscription Listings Compatible plugin, for WordPress. It affects all versions up to and including 6.7.25. The flaw stems from missing validation on user-supplied object IDs in multiple AJAX actions, including wcfm_modify_order_status, delete_wcfm_article, delete_wcfm_product, and the article management controller.
Authenticated attackers with Vendor-level access or higher can exploit this over the network (AV:N) with low attack complexity (AC:L), low privileges (PR:L), and no user interaction (UI:N). Exploitation enables modification of any order status, deletion or modification of any post, product, or page, regardless of ownership, leading to high integrity (I:H) and availability (A:H) impacts with no confidentiality effects (C:N). The CVSS v3.1 base score is 8.1 (S:U).
Advisories reference specific vulnerable code locations, such as line 644-880 in core/class-wcfm-ajax.php and line 271 in core/class-wcfm-article.php from the plugin's 6.7.24 trac tag, as detailed in Wordfence threat intelligence. Security practitioners should consult these sources for targeted analysis and remediation.
Details
- CWE(s)