PatchSiren cyber security CVE debrief
CVE-2026-12126 wclovers CVE debrief
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity.
- Vendor
- wclovers
- Product
- WCFM Marketplace – Multivendor Marketplace for WooCommerce
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, particularly those with Vendor-level access and above, should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to the latest version and restricting Vendor-level access to trusted users only.
Technical summary
The vulnerability exists in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, specifically in the handling of attachment 'post_title'. Insufficient input sanitization and output escaping allow authenticated attackers with Vendor-level access and above to inject arbitrary web scripts. These scripts can be executed when a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity.
Defensive priority
High priority should be given to updating the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin to a version that addresses this vulnerability.
Recommended defensive actions
- Update the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin to the latest version.
- Restrict Vendor-level access and above to trusted users only.
- Monitor for suspicious activity, particularly injections of arbitrary web scripts.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-11T07:16:45.633Z and has not been modified since then. The NVD entry is currently 6.4, MEDIUM severity. The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. Evidence is limited to public CVE and NVD data.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.633Z and has not been modified since then.