Stored Cross-Site Scripting Vulnerability in WCFM Marketplace Plugin for WordPress
CVE-2026-12126
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-12126?
The WCFM Marketplace plugin for WordPress contains a vulnerability that allows authenticated users with Vendor-level access to execute arbitrary web scripts through stored cross-site scripting (XSS). The flaw originates from inadequate input sanitization of media attachment titles, which can be exploited via the WordPress REST API. Maliciously crafted titles can inject scripts that execute when a privileged user accesses the media dashboard, potentially compromising the site and its users.
Affected Version(s)
WCFM Marketplace – Multivendor Marketplace for WooCommerce 0 <= 3.7.3