PT-2026-57411 · WordPress · Terawallet – For Woocommerce

Mitchell

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-12103

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Wallet for WooCommerce versions prior to 1.6.5
Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with subscriber-level access or higher can enumerate the login name, email address, and user ID of all WordPress accounts, including administrators. This is achieved by submitting arbitrary search terms to the AJAX handler. The required search-user nonce is localized within the wallet param object on the standard WooCommerce My Account page, which is accessible to any authenticated user.
Recommendations Update Wallet for WooCommerce to version 1.6.5 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12103

Affected Products

Terawallet – For Woocommerce