📄 Description (English)
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
🤖 AI Executive Summary
CVE-2026-2554 is a critical Insecure Direct Object Reference (IDOR) vulnerability in the WCFM WordPress plugin affecting versions up to 6.7.25. Authenticated vendors can delete arbitrary users including administrators by manipulating the 'customerid' parameter without proper validation. This vulnerability poses significant risk to e-commerce platforms and multi-vendor marketplaces operating in Saudi Arabia, particularly those using WooCommerce for B2B and B2C operations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 6, 2026 20:00
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi e-commerce operators, digital marketplaces (Noon, Zando, local B2B platforms), and SMEs using WooCommerce with WCFM plugin. High-risk sectors include: Retail/E-commerce (CITC regulated), Financial services using payment gateways integrated with WooCommerce, Healthcare e-pharmacies, and Tourism/Hospitality booking platforms. Vendor account compromise could lead to unauthorized deletion of customer accounts, administrative accounts, and disruption of marketplace operations. Organizations under SAMA oversight conducting digital commerce face operational and compliance risks.
🏢 Affected Saudi Sectors
E-commerce and Retail
Digital Marketplaces
Financial Services (Payment Processing)
Healthcare (E-pharmacies)
Tourism and Hospitality
SME/MSME Digital Platforms
B2B Procurement Platforms
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WCFM plugin installations and identify versions up to 6.7.25
2. Disable the WCFM plugin immediately if no patch is available
3. Review user deletion logs for suspicious 'wcfm_delete_wcfm_customer' actions
4. Audit vendor account permissions and recent vendor activities
5. Reset administrator passwords and enforce MFA
PATCHING GUIDANCE:
1. Monitor WCFM official repository for security patch release
2. When patch available, test in staging environment before production deployment
3. Implement automated backup before patching
COMPENSATING CONTROLS (until patch available):
1. Restrict vendor role capabilities using WordPress role management
2. Implement Web Application Firewall (WAF) rules to block 'wcfm_delete_wcfm_customer' requests with suspicious customerid parameters
3. Enable WordPress audit logging for user deletion events
4. Implement database-level access controls limiting vendor role permissions
5. Use WordPress security plugins to monitor and alert on user deletion attempts
DETECTION RULES:
1. Monitor WordPress logs for 'wcfm_delete_wcfm_customer' action with vendor-level users
2. Alert on user deletion events where deleting user has higher privilege than target user
3. Track POST requests to wp-admin/admin-ajax.php with action=wcfm_delete_wcfm_customer
4. Monitor for rapid sequential user deletion attempts from single vendor account
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات مكون WCFM وتحديد الإصدارات حتى 6.7.25
2. تعطيل مكون WCFM فوراً إذا لم تكن هناك رقعة متاحة
3. مراجعة سجلات حذف المستخدمين للأنشطة المريبة
4. تدقيق أذونات حساب البائع والأنشطة الأخيرة
5. إعادة تعيين كلمات مرور المسؤول وفرض المصادقة متعددة العوامل
إرشادات التصحيح:
1. مراقبة مستودع WCFM الرسمي لإصدار رقعة الأمان
2. عند توفر الرقعة، اختبرها في بيئة التطوير قبل نشرها في الإنتاج
3. تنفيذ نسخة احتياطية آلية قبل التصحيح
الضوابط البديلة:
1. تقييد قدرات دور البائع باستخدام إدارة الأدوار في WordPress
2. تنفيذ قواعد جدار الحماية لحجب طلبات wcfm_delete_wcfm_customer المريبة
3. تفعيل تسجيل تدقيق WordPress لأحداث حذف المستخدمين
4. تنفيذ ضوابط الوصول على مستوى قاعدة البيانات
5. استخدام مكونات أمان WordPress لمراقبة التنبيهات
قواعد الكشف:
1. مراقبة سجلات WordPress لإجراء wcfm_delete_wcfm_customer
2. التنبيه على أحداث حذف المستخدمين المريبة
3. تتبع طلبات POST إلى wp-admin/admin-ajax.php
4. مراقبة محاولات حذف المستخدمين المتسلسلة السريعة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy
ECC 2024 A.6.1.2 - User Access Rights Review
ECC 2024 A.7.2.1 - User Identification and Authentication
ECC 2024 A.8.2.3 - Segregation of Duties
ECC 2024 A.12.4.1 - Event Logging
ECC 2024 A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
SAMA CSF 1.1 - Governance and Risk Management
SAMA CSF 2.1 - Access Control and Authentication
SAMA CSF 2.2 - Authorization and Segregation of Duties
SAMA CSF 3.1 - Monitoring and Logging
SAMA CSF 4.1 - Incident Management
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.5.16 - Identity Management
ISO 27001:2022 A.5.17 - Authentication Information
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.8.3 - Information Access Restriction
ISO 27001:2022 A.8.15 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Passwords and Security Parameters
PCI DSS 6.2 - Security Patches
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 8.1 - User Identification and Authentication
PCI DSS 10.2 - Automated Audit Trails
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-w...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3483695/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465a...
security@wordfence.com