CVE-2026-0845 is a missing authorization vulnerability (CWE-862) found in the WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress. The vulnerability resides in the 'WCFM_Settings_Controller::processing' function, which lacks proper capability checks to verify if the authenticated user has sufficient privileges to modify certain site options. As a result, users with Shop Manager-level access or higher can exploit this flaw to update arbitrary WordPress options, including changing the default registration role to 'administrator' and enabling user registration. This manipulation allows attackers to create new administrative accounts, effectively escalating their privileges to full site administrators. The vulnerability affects all plugin versions up to 6.7.24. The CVSS 3.1 base score is 7.2, indicating a high-severity issue with network attack vector, low attack complexity, required privileges at a high level, no user interaction, and impacts on confidentiality, integrity, and availability. Although no public exploits have been observed, the vulnerability poses a serious risk due to the ease of exploitation by authenticated users with moderate privileges. The flaw can lead to complete site takeover, data compromise, and disruption of services on WordPress sites using this plugin.

The primary impact of CVE-2026-0845 is privilege escalation from Shop Manager-level access to full administrator control on affected WordPress sites. This allows attackers to create or modify administrator accounts, leading to complete site compromise. Consequences include unauthorized access to sensitive data, modification or deletion of content, installation of backdoors or malware, and disruption of e-commerce operations. Given that WooCommerce is widely used for online stores, exploitation could result in financial losses, reputational damage, and regulatory compliance issues. The vulnerability also undermines the integrity and availability of the affected sites, potentially causing downtime or defacement. Organizations relying on this plugin face increased risk of targeted attacks, especially if attackers gain Shop Manager credentials through phishing or insider threats. The absence of public exploits currently provides a window for mitigation, but the vulnerability's nature makes it a critical risk for any site using the affected plugin versions.

1. Immediately update the WCFM – Frontend Manager for WooCommerce plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Shop Manager-level user capabilities by reviewing and minimizing permissions to only those absolutely necessary, potentially using role management plugins to enforce stricter controls. 3. Disable user registration on the WordPress site if not required, to prevent attackers from exploiting the ability to create new administrator accounts. 4. Monitor WordPress option changes and audit logs for suspicious modifications, especially changes to default roles and registration settings. 5. Implement multi-factor authentication (MFA) for all privileged users to reduce the risk of credential compromise. 6. Conduct regular security reviews and penetration tests focusing on privilege escalation vectors within WordPress and its plugins. 7. Educate administrators and Shop Managers about phishing and credential security to prevent initial access by attackers. 8. Employ web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable function if possible. 9. Backup site data and configurations regularly to enable recovery in case of compromise.