Authorization Bypass in Wallet for WooCommerce Plugin by WordPress
CVE-2026-12103
4.3MEDIUM
What is CVE-2026-12103?
The Wallet for WooCommerce plugin for WordPress suffers from a vulnerability that allows attackers with subscriber-level access to bypass authorization checks. This flaw stems from inadequate user verification, enabling these authenticated users to enumerate sensitive information, such as usernames, email addresses, and user IDs of all WordPress accounts, including administrators. The issue is exacerbated by the accessibility of the required nonce, which can be easily obtained by any authenticated user through a simple search operation on the WooCommerce My Account page.
Affected Version(s)
Wallet for WooCommerce 0 <= 1.6.4