PT-2026-57414 · WordPress · Wcfm – Frontend Manager For Woocommerce

Niv Kochan

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-12994

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions WCFM – Frontend Manager for WooCommerce versions prior to 6.7.28
Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Specifically, the wcfm-my-account-enquiry-manage branch lacks is user logged in() or current user can() checks, relying solely on a nonce that is embedded in public page loads. This allows unauthenticated attackers to inject arbitrary reply content into store inquiries, overwrite the main inquiry record in wp wcfm enquiries, and trigger unsolicited notification emails to customers and vendors.
Recommendations Update WCFM – Frontend Manager for WooCommerce to version 6.7.28 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12994

Affected Products

Wcfm – Frontend Manager For Woocommerce