CVE-2026-3477: CWE-862 Missing Authorization in projectzealous01 PZ Frontend Manager
The PZ Frontend Manager WordPress plugin up to version 1. 0. 6 contains a missing authorization vulnerability in the pzfm_user_request_action_callback() function. This function, which handles user activation, deactivation, and deletion via an AJAX endpoint, does not perform capability checks or nonce verification. As a result, authenticated users with Subscriber-level access or higher can delete arbitrary WordPress users, including administrators, by sending crafted requests. The vulnerability is due to an oversight since a similar function does perform proper authorization checks. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
CVE-2026-3477 is a missing authorization vulnerability (CWE-862) in the PZ Frontend Manager WordPress plugin (versions up to 1.0.6). The vulnerability exists in the pzfm_user_request_action_callback() function registered to the wp_ajax_pzfm_user_request_action hook, which lacks both capability checks and nonce verification. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on supplied user IDs without verifying the requester's permissions. This allows authenticated users with minimal privileges (Subscriber and above) to delete arbitrary users, including administrators. The issue stems from an authorization oversight, as a similar function in the plugin properly checks permissions before deleting users. No patch or official fix has been published as of the provided data.
Potential Impact
An attacker with authenticated access at Subscriber level or higher can delete arbitrary WordPress users, including administrators, without proper authorization. This can lead to denial of service for legitimate users and potential loss of administrative control over the WordPress site. The vulnerability does not directly affect confidentiality or availability beyond user deletion but impacts integrity by allowing unauthorized user removals.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the AJAX endpoint by limiting user roles that can interact with the plugin or disable the plugin if feasible. Monitor for updates from the vendor or plugin maintainer to apply an official fix once released.
CVE-2026-3477: CWE-862 Missing Authorization in projectzealous01 PZ Frontend Manager
Description
The PZ Frontend Manager WordPress plugin up to version 1. 0. 6 contains a missing authorization vulnerability in the pzfm_user_request_action_callback() function. This function, which handles user activation, deactivation, and deletion via an AJAX endpoint, does not perform capability checks or nonce verification. As a result, authenticated users with Subscriber-level access or higher can delete arbitrary WordPress users, including administrators, by sending crafted requests. The vulnerability is due to an oversight since a similar function does perform proper authorization checks. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3477 is a missing authorization vulnerability (CWE-862) in the PZ Frontend Manager WordPress plugin (versions up to 1.0.6). The vulnerability exists in the pzfm_user_request_action_callback() function registered to the wp_ajax_pzfm_user_request_action hook, which lacks both capability checks and nonce verification. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on supplied user IDs without verifying the requester's permissions. This allows authenticated users with minimal privileges (Subscriber and above) to delete arbitrary users, including administrators. The issue stems from an authorization oversight, as a similar function in the plugin properly checks permissions before deleting users. No patch or official fix has been published as of the provided data.
Potential Impact
An attacker with authenticated access at Subscriber level or higher can delete arbitrary WordPress users, including administrators, without proper authorization. This can lead to denial of service for legitimate users and potential loss of administrative control over the WordPress site. The vulnerability does not directly affect confidentiality or availability beyond user deletion but impacts integrity by allowing unauthorized user removals.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the AJAX endpoint by limiting user roles that can interact with the plugin or disable the plugin if feasible. Monitor for updates from the vendor or plugin maintainer to apply an official fix once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-03T13:24:27.134Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5fe4c1cc7ad14da37383b
Added to database: 4/8/2026, 7:05:48 AM
Last enriched: 4/15/2026, 3:11:37 PM
Last updated: 5/23/2026, 9:01:16 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.