CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-10041

mediumCVSS 4.3covered by 1 sourcefirst seen 2026-07-11
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.

⚡ Watch CVE-2026-10041

Get an email if CVE-2026-10041 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-10041

CVE.org record

Embed the live status

CVE-2026-10041 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-10041 status](https://www.csirts.com/badge/CVE-2026-10041)](https://www.csirts.com/cve/CVE-2026-10041)