CVE-2026-0845 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WCFM – Frontend Manager for WooCommerce plugin, including its Bookings Subscription Listings Compatible component. The vulnerability arises from the absence of a proper capability check in the 'WCFM_Settings_Controller::processing' function across all versions up to 6.7.24. Authenticated users with Shop Manager or higher privileges can exploit this flaw to update arbitrary WordPress options. A critical attack vector involves changing the default registration role to 'administrator' and enabling user registration, thereby allowing attackers to create accounts with administrative privileges without further authentication. The CVSS 3.1 score of 7.2 reflects a high severity due to network exploitability (AV:N), low attack complexity (AC:L), required privileges (PR:H), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are reported, the vulnerability's nature makes it a significant risk for WordPress sites using this plugin, potentially leading to full site takeover. The vulnerability affects all versions of the plugin up to and including 6.7.24, and no official patch links are currently available, indicating the need for vigilance and interim mitigations.

For European organizations, especially those operating e-commerce platforms on WordPress with WooCommerce and the WCFM plugin, this vulnerability poses a severe risk. Exploitation can lead to unauthorized administrative access, allowing attackers to manipulate site content, steal sensitive customer data, disrupt services, or install persistent backdoors. This can result in financial losses, reputational damage, and regulatory penalties under GDPR due to data breaches. The ability to escalate privileges from Shop Manager to Administrator means that insider threats or compromised lower-privilege accounts can be leveraged for full site compromise. Given the widespread use of WooCommerce in Europe, particularly in countries with mature e-commerce markets, the threat could affect a broad range of businesses, from SMEs to large enterprises. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation due to the vulnerability's straightforward exploitation path.

1. Monitor official vendor channels and WordPress plugin repositories for patches addressing CVE-2026-0845 and apply updates immediately upon release. 2. Until a patch is available, restrict Shop Manager-level access to trusted personnel only and audit existing user roles to minimize exposure. 3. Implement additional access control measures at the web server or application firewall level to block unauthorized requests targeting the vulnerable processing function. 4. Disable user registration if not required, or enforce strict validation and monitoring of new user accounts to detect suspicious activity. 5. Conduct regular security audits and review WordPress option settings for unauthorized changes. 6. Employ intrusion detection systems and log monitoring to identify exploitation attempts early. 7. Consider isolating critical WordPress instances or using containerization to limit the blast radius of a potential compromise. 8. Educate administrators and shop managers about the risks of privilege escalation and the importance of secure credential management.