Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AV:N and PR:N confirmed by code: nonce is publicly exposed on every page with no login gate, so no privileges or network proximity required; only integrity impact applies as records are overwritten but no data is read or availability disrupted.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WCFM - Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.
AnalysisAI
Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the WCFM store inquiry feature is active - a core, default-enabled feature of WCFM multivendor stores. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N yields a 5.3 Medium score, which is well-supported by the code-level evidence: network exploitation is trivial, the nonce is publicly available without authentication, and no complexity barriers exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker loads any public-facing page of the WooCommerce store, extracts the wcfm nonce value from the page HTML, and sends a crafted HTTP POST to wp-admin/admin-ajax.php with action=wcfm-my-account-enquiry-manage, a guessed or enumerated inquiry ID, and attacker-controlled reply content. Because no is_user_logged_in() or current_user_can() check is performed, the server writes the injected content into the wp_wcfm_enquiries record and dispatches the store's notification email to both the affected customer and vendor. … |
| Remediation | Update the WCFM - Frontend Manager for WooCommerce plugin to a version newer than 6.7.27 once a patched release is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43156
GHSA-x34r-gp68-rfqr