CVE-2026-3477 describes a missing authorization vulnerability (CWE-862) in the PZ Frontend Manager plugin for WordPress. The vulnerability exists in the pzfm_user_request_action_callback() function, which is registered to handle AJAX requests via the wp_ajax_pzfm_user_request_action hook. This function processes user activation, deactivation, and deletion but lacks both capability checks and nonce verification. Specifically, when the 'dataType' parameter equals 'delete', the function calls wp_delete_user() on all provided user IDs without verifying the permissions of the requester. This oversight contrasts with a similar function, pzfm_remove_item_callback(), which properly checks permissions before deleting users. Consequently, attackers with minimal authenticated access (Subscriber role or above) can delete arbitrary users, including administrators, via crafted AJAX requests. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No patch or official remediation is currently documented.

An attacker with authenticated access at the Subscriber level or higher can delete arbitrary WordPress users, including administrators, without proper authorization checks. This can lead to loss of administrative control and disruption of site management. There is no confidentiality or availability impact directly indicated, but integrity is impacted due to unauthorized user deletions.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the AJAX endpoint by limiting authenticated user roles or disabling the vulnerable plugin if feasible. Monitor for plugin updates from projectzealous01 addressing this issue.