Authorization Bypass in WCFM – Frontend Manager for WooCommerce Plugin by WordPress
CVE-2026-12994

5.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-12994?

The WCFM – Frontend Manager for WooCommerce plugin is susceptible to an authorization bypass that can be exploited by unauthenticated users. This vulnerability stems from inadequate checks on user authorization, allowing attackers to inject arbitrary content into store inquiries and overwrite existing inquiry records in the wp_wcfm_enquiries database. To compound the issue, the vulnerable functionality does not verify if the user is logged in or possesses the necessary permissions, relying solely on a nonce embedded in public pages. This can lead to unauthorized notifications being sent to both customers and vendors.

Affected Version(s)

WCFM – Frontend Manager for WooCommerce 0 <= 6.7.27

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Niv Kochan
.