CVE-2025-3780 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WCFM – Frontend Manager for WooCommerce plugin and its Bookings Subscription Listings Compatible extension for WordPress. The vulnerability arises from the absence of a capability check in the wcfm_redirect_to_setup function, which is responsible for redirecting users to the setup page of the plugin. This missing authorization allows unauthenticated attackers to access and modify sensitive plugin settings, including payment configurations and API keys, without any authentication or user interaction. The vulnerability affects all versions up to and including 6.7.16. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality and integrity but not availability (C:L/I:L/A:N). Although no public exploits have been reported, the potential for unauthorized data modification and exposure of sensitive financial information is significant. The vulnerability could be exploited remotely by attackers scanning for vulnerable WooCommerce sites using this plugin, potentially leading to financial fraud or further compromise of e-commerce platforms. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for interim mitigations.

The vulnerability allows unauthenticated attackers to view and modify critical plugin settings, including payment details and API keys, which can lead to unauthorized financial transactions, data breaches, and compromise of merchant accounts. This undermines the confidentiality and integrity of e-commerce operations relying on the WCFM plugin. Attackers could manipulate payment configurations to redirect funds or disrupt subscription services, causing financial losses and reputational damage. The absence of availability impact means the site may continue functioning normally, potentially masking the compromise. Organizations worldwide using this plugin in their WooCommerce stores face increased risk of targeted attacks, especially those processing high volumes of transactions or sensitive customer data. The vulnerability could also serve as a foothold for further attacks within the affected environment.

1. Immediately restrict access to the plugin’s setup and configuration endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to these URLs. 2. Employ IP whitelisting or VPN access controls for administrative plugin pages to limit exposure. 3. Monitor logs for unusual access patterns or unauthorized changes to plugin settings, especially modifications to payment details or API keys. 4. Disable or remove the WCFM plugin if it is not essential until a patch is released. 5. Regularly check the vendor’s official channels for security updates or patches and apply them promptly once available. 6. Conduct a security audit of WooCommerce configurations and API key usage to detect any unauthorized changes. 7. Educate site administrators on the risks of exposing administrative plugin endpoints publicly and enforce strong access controls. 8. Consider deploying multi-factor authentication (MFA) on WordPress admin accounts to reduce risk from other attack vectors.