Authorization Bypass in Wallet for WooCommerce Plugin by WordPress
CVE-2026-12103

4.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-12103?

The Wallet for WooCommerce plugin for WordPress suffers from a vulnerability that allows attackers with subscriber-level access to bypass authorization checks. This flaw stems from inadequate user verification, enabling these authenticated users to enumerate sensitive information, such as usernames, email addresses, and user IDs of all WordPress accounts, including administrators. The issue is exacerbated by the accessibility of the required nonce, which can be easily obtained by any authenticated user through a simple search operation on the WooCommerce My Account page.

Affected Version(s)

Wallet for WooCommerce 0 <= 1.6.4

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mitchell
.