Skip to main content

WCFM Frontend Manager EUVDEUVD-2026-43156

| CVE-2026-12994 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-x34r-gp68-rfqr
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

AV:N and PR:N confirmed by code: nonce is publicly exposed on every page with no login gate, so no privileges or network proximity required; only integrity impact applies as records are overwritten but no data is read or availability disrupted.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:58 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 5.3

DescriptionCVE.org

The WCFM - Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.

AnalysisAI

Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Load public store page to harvest nonce
Delivery
Enumerate wp_wcfm_enquiries inquiry IDs
Exploit
Craft POST to wp-admin/admin-ajax.php with wcfm-my-account-enquiry-manage action
Execution
Bypass missing authorization check in controller
Persist
Overwrite inquiry record with arbitrary content
Impact
Trigger spam notification emails to customer and vendor

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the WCFM store inquiry feature is active - a core, default-enabled feature of WCFM multivendor stores. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N yields a 5.3 Medium score, which is well-supported by the code-level evidence: network exploitation is trivial, the nonce is publicly available without authentication, and no complexity barriers exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker loads any public-facing page of the WooCommerce store, extracts the wcfm nonce value from the page HTML, and sends a crafted HTTP POST to wp-admin/admin-ajax.php with action=wcfm-my-account-enquiry-manage, a guessed or enumerated inquiry ID, and attacker-controlled reply content. Because no is_user_logged_in() or current_user_can() check is performed, the server writes the injected content into the wp_wcfm_enquiries record and dispatches the store's notification email to both the affected customer and vendor. …
Remediation Update the WCFM - Frontend Manager for WooCommerce plugin to a version newer than 6.7.27 once a patched release is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy