CVE-2025-3780

Sažetak

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys

Reference

https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L74
https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L81
https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3?source=cve

CVSS

Base:	6.5
Impact:	2.5
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

09-07-2025 - 00:15

Objavljeno

09-07-2025 - 00:15