Authorization Bypass in WCFM – Frontend Manager for WooCommerce Plugin by WordPress
CVE-2026-12994
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-12994?
The WCFM – Frontend Manager for WooCommerce plugin is susceptible to an authorization bypass that can be exploited by unauthenticated users. This vulnerability stems from inadequate checks on user authorization, allowing attackers to inject arbitrary content into store inquiries and overwrite existing inquiry records in the wp_wcfm_enquiries database. To compound the issue, the vulnerable functionality does not verify if the user is logged in or possesses the necessary permissions, relying solely on a nonce embedded in public pages. This can lead to unauthorized notifications being sent to both customers and vendors.
Affected Version(s)
WCFM – Frontend Manager for WooCommerce 0 <= 6.7.27