hypeorhack
← back

CVE-2026-2554

HIGH · 8.1
hype MIXED · 48 hack

Published yesterday, no PoC public, not KEV-listed; elevated by HIGH CVSS & straightforward exploitation vector.

What: Insecure Direct Object Reference (IDOR) in WCFM – Frontend Manager for WooCommerce plugin (all versions ≤6.7.25) allows authenticated Vendor-level users to delete arbitrary accounts including admins. CVSS 8.1 HIGH.

Why it matters: Published yesterday; HIGH CVSS score; affects WooCommerce sites with Vendor access model. Chatter emphasizes no patch available yet and recommends immediate access control hardening. No KEV listing or confirmed public PoC yet, but straightforward IDOR attack surface elevates concern for WordPress administrators managing multi-vendor storefronts.

Where it's seen: Security news aggregators and threat radar platforms amplifying NVD advisory within 24 hours of publication; defender-focused posts recommending access restrictions and audit logging; international coverage (Japanese translation present).

RISK: HIGH — IDOR enables privilege escalation & account deletion; HIGH CVSS; unpatched multi-vendor WordPress installs at immediate risk.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/3/2026, 12:15:39 AM

AttackerKB

view on attackerkb.com →

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

Public PoCs on GitHub 20 repos

  • AthenaCore/AwesomeResponsibleAI ★ 124

    A curated list of awesome academic research, books, code of ethics, courses, databases, data sets, frameworks, institutes, maturity models, newsletters, principles, podcasts, regulations, reports, responsible scale policies, tools and standards related to Responsible, Trustworthy, and Human-Centered AI.

  • okeuday/pest ★ 103 · Erlang

    :beetle: Primitive Erlang Security Tool

  • GodModeAI2025/specforge-ai-skill ★ 22 · HTML

    Single-file Claude Skill for spec-driven RE. Generates constitution, specs, plans, research, tasks — with automatic KRITIS/NIS2 compliance checks and cross-artifact consistency analysis.

  • hiifong/starList ★ 18 · Python

    Export your star's repository list

  • mattyopon/faultray ★ 16 · Python

    Zero-risk infrastructure chaos simulation — 5 engines, 2000+ scenarios, 3-Layer availability proof. No production fault injection.

Page 1 of 4

Articles & coverage 13 articles

  • CVE-2026-25054 - Vulnerability Details - OpenCVE

    n8n is an open source workflow automation platform. Impact: Cross‑site scripting that permits an attacker to run arbitrary scripts with the privileges of users who view a crafted workflow, potentially leading to session hijacking and account takeover. The affected product is the open‑source workflow automation platform n8n, maintained by n8n‑io. {"dataType": "CVE\_RECORD", "containers": {"adp": [

  • CVE-2026-25554: OpenSIPS auth_jwt SQL Injection Flaw

    # CVE-2026-25554: OpenSIPS auth\_jwt SQL Injection Flaw. CVE-2026-25554 is a SQL injection vulnerability in OpenSIPS auth\_jwt module versions 3.1 to 3.6.3 that enables attackers to bypass JWT authentication and impersonate users. CVE-2026-25554 is a SQL Injection vulnerability affecting OpenSIPS versions 3.1 before 3.6.4 in the auth\_jwt module. The critical security flaw is twofold: first, the J

  • NVD - CVE-2026-25554

    | URL | Source(s) | Tag(s) | | --- | --- | --- | | | VulnCheck | | | | VulnCheck | | | | VulnCheck | | | | VulnCheck | | | | VulnCheck | | Weakness Enumeration | CWE-ID | CWE Name | Source | | --- | --- | --- | | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | VulnCheck | Change History 2 change records found show changes **CVE Modified

  • CVE-2026-25854: Apache Tomcat Open Redirect Vulnerability

    # CVE-2026-25854: Apache Tomcat Open Redirect Vulnerability. CVE-2026-25854 is an open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve that allows URL redirection to untrusted sites. ## CVE-2026-25854 Overview. CVE-2026-25854 is an Open Redirect vulnerability affecting Apache Tomcat's LoadBalancerDrainingValve component. This vulnerability allows attackers to craft malicious UR

  • CVE-2026-2554: CWE-639 Authorization Bypass Through User ...

    Detailed information about CVE-2026-2554: CWE-639 Authorization Bypass Through User-Controlled Key in wclovers WCFM – Frontend Manager for

Page 1 of 3
NVD details 1 CWE ·0 vendors · 3 refs expand

Description

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

Weaknesses

References

Other · 3

Top posts driving the trend