{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3780", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-17T19:51:29.910Z", "datePublished": "2025-07-08T23:22:48.619Z", "dateUpdated": "2026-04-08T16:42:46.567Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:46.567Z"}, "affected": [{"vendor": "wclovers", "product": "WCFM \u2013 Frontend Manager for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys"}], "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L81"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-04-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-08T11:13:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-09T13:15:27.802344Z", "id": "CVE-2025-3780", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:15:34.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-09T13:15:27.802344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:15:31.453Z"}}], "cna": {"title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "wclovers", "product": "WCFM \u2013 Frontend Manager for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.7.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-08T11:13:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L81"}], "descriptions": [{"lang": "en", "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:46.567Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3780", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:46.567Z", "dateReserved": "2025-04-17T19:51:29.910Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-08T23:22:48.619Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B3C14E0C-417A-40DC-A04C-BB39641CF2ED", "versionEndExcluding": "6.7.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys"}, {"lang": "es", "value": "El complemento WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n wcfm_redirect_to_setup en todas las versiones hasta la 6.7.16 incluida. Esto permite que atacantes no autenticados vean y modifiquen la configuraci\u00f3n del complemento, incluyendo los detalles de pago y las claves API."}], "id": "CVE-2025-3780", "lastModified": "2025-07-17T13:34:21.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-09T00:15:39.570", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L74"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L81"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:11:52.605900+00:00", "value": {"mitigation_remediation": ["Update the WCFM plugin to version\u202f6.7.17 or newer, which removes the missing capability check.", "Limit access to the plugin\u2019s settings page by IP or by restricting it to administrators with appropriate roles, thereby blocking unauthenticated requests.", "If payment details or API keys are suspected to have been compromised, rotate them immediately to invalidate any potential unauthorized access."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Configuration Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the WCFM plugin from wclovers, specifically the Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible version 6.7.16 and earlier. No other versions are known to be affected, and no detailed version range beyond 6.7.16 is provided.", "description_and_impact": "The WCFM \u2013 Frontend Manager for WooCommerce plugin contains a missing capability check on the wcfm_redirect_to_setup function. As a result, an attacker who does not have any authentication or authorization can view and alter the plugin's settings, including payment details and API keys. This breach allows modification of critical configuration data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is a remote web request to the plugin's setup endpoint, which does not require user authentication, as inferred from the description. An attacker can exploit this to view or change the plugin settings, including payment configurations and API keys."}}}}, "created": "2026-04-28T01:15:15.675325+00:00", "updated": "2026-04-28T01:15:15.675335+00:00", "vendors": []}