cvedb.io
CVE-2024-8290
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2024-09-25T07:15:03.663 · Last modified 2026-06-17T08:22:17.953

Summary

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.

Affected products

wclovers — frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible

Does this affect you?

Add your gear to cvedb and we'll alert you only when wclovers ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.