Skip to main content

Wallet For Woocommerce

1 CVEs product

Monthly

CVE-2026-12103 MEDIUM This Month

User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.

Authentication Bypass WordPress Wallet For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM This Month

User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.

Authentication Bypass WordPress Wallet For Woocommerce
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy