Skip to main content

WCFM Marketplace CVE-2026-12126

| EUVDEUVD-2026-43158 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-392f-h24w-84fc
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Payload plants via REST API (AV:N/PR:L) but fires only when a victim admin loads the dashboard (UI:R); scope change applies as vendor-context payload executes in admin-context browser.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 07:01 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 6.4

DescriptionCVE.org

The WCFM Marketplace - Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.

AnalysisAI

Stored XSS in WCFM Marketplace - Multivendor Marketplace for WooCommerce (all versions ≤ 3.7.3) permits authenticated attackers holding a Vendor-level account to plant persistent JavaScript payloads inside WordPress media attachment titles, targeting any privileged user who subsequently loads the media management dashboard. The injection path is notable for its stealth: the attacker uploads a media file with a crafted post_title via the standard WordPress REST API (/wp-json/wp/v2/media), bypassing any AJAX-based access controls, because the unescaped title is later serialized into DataTables JSON and written directly to the DOM via innerHTML on the admin media interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as marketplace vendor via REST API
Delivery
POST crafted post_title to /wp-json/wp/v2/media
Exploit
Payload persists unescaped in WordPress database
Install
Admin navigates to media dashboard
C2
DataTables fetches JSON containing unescaped title
Execute
Browser executes injected script via innerHTML
Impact
Exfiltrate admin session cookie or trigger privileged action

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at least Vendor-level role within the WCFM Marketplace plugin - unauthenticated or subscriber-level exploitation is not possible per the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 6.4 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately captures the network-accessible, low-complexity nature of planting the payload, and the scope change (S:C) correctly models the cross-user impact where a vendor-level attacker compromises an administrator's session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious vendor registered on a WooCommerce multi-vendor marketplace authenticates to the site and sends a crafted POST request to /wp-json/wp/v2/media, setting the media attachment title to a script payload designed to exfiltrate the administrator's session cookie to an attacker-controlled endpoint. The payload is stored unescaped in the WordPress database. …
Remediation A fix has been committed to the plugin's Subversion repository as changeset 3588629 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3588629%40wc-multivendor-marketplace&new=3588629%40wc-multivendor-marketplace); however, the exact released plugin version incorporating this commit is not independently confirmed from the available data - site administrators should update to the latest available version from the WordPress plugin repository and verify it is numbered higher than 3.7.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy