CVE-2024-8290 is a critical authorization bypass vulnerability identified in the WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress. The flaw exists in the WCFM_Customers_Manage_Controller::processing function, where the plugin fails to properly validate the 'ID' parameter, which is user-controlled. This lack of validation leads to an insecure direct object reference (IDOR), classified under CWE-639, allowing attackers with minimal privileges—specifically subscriber or customer-level authenticated users—to manipulate the email addresses of administrator accounts. By changing the administrator's email, attackers can initiate password reset procedures, effectively gaining full administrative access to the WordPress site. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with an attack vector that is network-based, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability at a high level. The plugin versions up to and including 6.7.12 are affected, and no patches or fixes have been published at the time of disclosure. This vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple user roles and subscription-based access. Exploitation could lead to complete site takeover, data theft, defacement, or further malware deployment. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical impact necessitate immediate attention from site administrators and security teams.

The impact of CVE-2024-8290 is severe for organizations using the affected WCFM plugin on WordPress. An attacker with only subscriber or customer-level access can escalate privileges to full administrator control by changing the admin email and resetting the password. This leads to a complete compromise of the website, including unauthorized access to sensitive data, modification or deletion of content, installation of malicious code, and disruption of services. For e-commerce sites relying on WooCommerce and this plugin for managing frontend operations and bookings, such a compromise could result in financial losses, reputational damage, and regulatory penalties due to data breaches. The vulnerability undermines the integrity and availability of the site and exposes organizations to further attacks such as ransomware or phishing campaigns launched from the compromised infrastructure. Given the widespread use of WooCommerce and WordPress globally, the threat surface is substantial, especially for small to medium businesses that may lack robust security monitoring and patch management processes.

To mitigate CVE-2024-8290, organizations should immediately restrict subscriber and customer-level access privileges to the minimum necessary and monitor for any unusual changes to administrator account details, particularly email addresses. Implement multi-factor authentication (MFA) for all administrator accounts to reduce the risk of account takeover via password reset. Review and harden WordPress user role permissions to prevent unauthorized access to sensitive plugin functions. Until an official patch is released, consider disabling or uninstalling the affected WCFM plugin if feasible, or isolate the affected functionality behind additional access controls such as web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable processing function. Regularly audit logs for signs of exploitation attempts and educate users about phishing risks related to password resets. Stay informed on vendor updates and apply patches promptly once available. Additionally, consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real-time.