Stored Cross-Site Scripting Vulnerability in WCFM Marketplace Plugin for WordPress
CVE-2026-12126

6.4MEDIUM

What is CVE-2026-12126?

The WCFM Marketplace plugin for WordPress contains a vulnerability that allows authenticated users with Vendor-level access to execute arbitrary web scripts through stored cross-site scripting (XSS). The flaw originates from inadequate input sanitization of media attachment titles, which can be exploited via the WordPress REST API. Maliciously crafted titles can inject scripts that execute when a privileged user accesses the media dashboard, potentially compromising the site and its users.

Affected Version(s)

WCFM Marketplace – Multivendor Marketplace for WooCommerce 0 <= 3.7.3

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nadir Şensoy
.