Skip to main content

Wcfm Marketplace Multivendor Marketplace For Woocommerce

1 CVEs product

Monthly

CVE-2026-12126 MEDIUM This Month

Stored XSS in WCFM Marketplace - Multivendor Marketplace for WooCommerce (all versions ≤ 3.7.3) permits authenticated attackers holding a Vendor-level account to plant persistent JavaScript payloads inside WordPress media attachment titles, targeting any privileged user who subsequently loads the media management dashboard. The injection path is notable for its stealth: the attacker uploads a media file with a crafted post_title via the standard WordPress REST API (/wp-json/wp/v2/media), bypassing any AJAX-based access controls, because the unescaped title is later serialized into DataTables JSON and written directly to the DOM via innerHTML on the admin media interface. No public exploit code is identified and the vulnerability has no CISA KEV listing at time of analysis, but the low privilege barrier - any marketplace vendor account - meaningfully elevates real-world risk in multi-vendor deployments with untrusted sellers.

WordPress XSS Wcfm Marketplace Multivendor Marketplace For Woocommerce
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WCFM Marketplace - Multivendor Marketplace for WooCommerce (all versions ≤ 3.7.3) permits authenticated attackers holding a Vendor-level account to plant persistent JavaScript payloads inside WordPress media attachment titles, targeting any privileged user who subsequently loads the media management dashboard. The injection path is notable for its stealth: the attacker uploads a media file with a crafted post_title via the standard WordPress REST API (/wp-json/wp/v2/media), bypassing any AJAX-based access controls, because the unescaped title is later serialized into DataTables JSON and written directly to the DOM via innerHTML on the admin media interface. No public exploit code is identified and the vulnerability has no CISA KEV listing at time of analysis, but the low privilege barrier - any marketplace vendor account - meaningfully elevates real-world risk in multi-vendor deployments with untrusted sellers.

WordPress XSS Wcfm Marketplace Multivendor Marketplace For Woocommerce
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy