📄 Description (English)
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
🤖 AI Executive Summary
CVE-2026-0845 is a privilege escalation vulnerability in the WCFM WordPress plugin affecting versions up to 6.7.24. Authenticated Shop Manager-level users can exploit missing capability checks to modify arbitrary WordPress options, including changing default registration roles to administrator. This allows attackers to create admin accounts and gain full site control, posing critical risk to Saudi e-commerce and business platforms.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 21:45
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi e-commerce sector, particularly small and medium enterprises (SMEs) using WooCommerce for online sales. Banking and fintech companies offering payment processing through WooCommerce-based platforms face significant risk. Government procurement portals and healthcare e-commerce platforms using this plugin are vulnerable. Telecommunications and retail sectors with online storefronts are at risk. ARAMCO and energy sector supply chain portals using WooCommerce could be compromised. The vulnerability enables complete site takeover, data theft, and malware distribution.
🏢 Affected Saudi Sectors
E-commerce and Retail
Banking and Financial Services
Healthcare and Pharmaceuticals
Government and Public Sector
Telecommunications
Energy and Utilities
Hospitality and Tourism
Education
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1078 - Valid Accounts
T1078.002 - Valid Accounts: Domain Accounts
T1098 - Account Manipulation
T1098.001 - Account Manipulation: Additional Cloud Credentials
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using WCFM plugin versions up to 6.7.24
2. Restrict Shop Manager role access to trusted personnel only
3. Implement IP whitelisting for WordPress admin access
4. Enable two-factor authentication for all administrative accounts
5. Monitor WordPress user creation logs for suspicious admin account creation
PATCHING:
1. Update WCFM plugin to version 6.7.25 or later immediately
2. Test updates in staging environment before production deployment
3. Verify plugin functionality post-update
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable user registration functionality if not required
2. Implement Web Application Firewall (WAF) rules to block WCFM_Settings_Controller requests from non-admin users
3. Use WordPress security plugins to monitor option modifications
4. Implement database activity monitoring for wp_options table changes
DETECTION:
1. Monitor WordPress logs for 'WCFM_Settings_Controller::processing' function calls
2. Alert on wp_options table modifications by non-administrator users
3. Track user role changes, especially to administrator role
4. Monitor new user account creation with administrative privileges
5. Implement SIEM rules: detect_privilege_escalation_wordpress_wcfm
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم إضافة WCFM بإصدارات حتى 6.7.24
2. تقييد وصول دور مدير المتجر للموظفين الموثوقين فقط
3. تطبيق القائمة البيضاء للعناوين IP لوصول WordPress الإداري
4. تفعيل المصادقة متعددة العوامل لجميع الحسابات الإدارية
5. مراقبة سجلات إنشاء مستخدمي WordPress للكشف عن إنشاء حسابات إدارية مريبة
التصحيح:
1. تحديث إضافة WCFM إلى الإصدار 6.7.25 أو أحدث فوراً
2. اختبار التحديثات في بيئة التطوير قبل النشر في الإنتاج
3. التحقق من وظائف الإضافة بعد التحديث
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل وظيفة تسجيل المستخدم إذا لم تكن مطلوبة
2. تطبيق قواعد جدار حماية تطبيقات الويب لحجب طلبات WCFM_Settings_Controller من المستخدمين غير الإداريين
3. استخدام إضافات أمان WordPress لمراقبة تعديلات الخيارات
4. تطبيق مراقبة نشاط قاعدة البيانات لتغييرات جدول wp_options
الكشف:
1. مراقبة سجلات WordPress لاستدعاءات دالة WCFM_Settings_Controller::processing
2. تنبيهات على تعديلات جدول wp_options من قبل المستخدمين غير الإداريين
3. تتبع تغييرات أدوار المستخدمين، خاصة إلى دور المسؤول
4. مراقبة إنشاء حسابات مستخدمين جديدة بامتيازات إدارية
5. تطبيق قواعد SIEM: detect_privilege_escalation_wordpress_wcfm
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and privilege control
ECC 2024 A.9.4.3 - Password management and authentication
ECC 2024 A.12.4.1 - Event logging and monitoring
ECC 2024 A.14.2.1 - Secure development and change management
🔵 SAMA CSF
SAMA CSF 1.1 - Governance and Risk Management
SAMA CSF 2.2 - Access Control and Authentication
SAMA CSF 3.1 - Detection and Analysis
SAMA CSF 4.1 - Containment and Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.3 - Cryptography
ISO 27001:2022 A.8.32 - Change management
ISO 27001:2022 A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default security parameters
PCI DSS 6.2 - Security patches and updates
PCI DSS 7.1 - Limit access to system components
PCI DSS 10.2 - User access logging
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/controllers/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-w...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3455819/wc-frontend-manager/trunk/controll...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4973cef3-dddf-4eb5-99f4-c23a0...
security@wordfence.com