Home

Description

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.

PUBLISHED Reserved 2026-06-23 | Published 2026-07-11 | Updated 2026-07-13 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-06-23:Vendor Notified
2026-07-10:Disclosed

Credits

Niv Kochan finder

References

www.wordfence.com/...-a2c7-4a95-b644-bb0401f91b40?source=cve

plugins.trac.wordpress.org/...27/core/class-wcfm-enquiry.php

plugins.trac.wordpress.org/...27/core/class-wcfm-enquiry.php

plugins.trac.wordpress.org/...-controller-enquiry-manage.php

plugins.trac.wordpress.org/...-controller-enquiry-manage.php

plugins.trac.wordpress.org/...7/core/class-wcfm-frontend.php

plugins.trac.wordpress.org/...26/core/class-wcfm-enquiry.php

plugins.trac.wordpress.org/...26/core/class-wcfm-enquiry.php

plugins.trac.wordpress.org/...-controller-enquiry-manage.php

plugins.trac.wordpress.org/...-controller-enquiry-manage.php

plugins.trac.wordpress.org/...6/core/class-wcfm-frontend.php

plugins.trac.wordpress.org/...=3588570%40wc-frontend-manager

cve.org (CVE-2026-12994)

nvd.nist.gov (CVE-2026-12994)

Download JSON