PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12126 wclovers CVE debrief

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity.

Vendor
wclovers
Product
WCFM Marketplace – Multivendor Marketplace for WooCommerce
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Users of WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, particularly those with Vendor-level access and above, should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to the latest version and restricting Vendor-level access to trusted users only.

Technical summary

The vulnerability exists in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, specifically in the handling of attachment 'post_title'. Insufficient input sanitization and output escaping allow authenticated attackers with Vendor-level access and above to inject arbitrary web scripts. These scripts can be executed when a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity.

Defensive priority

High priority should be given to updating the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin to a version that addresses this vulnerability.

Recommended defensive actions

  • Update the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin to the latest version.
  • Restrict Vendor-level access and above to trusted users only.
  • Monitor for suspicious activity, particularly injections of arbitrary web scripts.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-11T07:16:45.633Z and has not been modified since then. The NVD entry is currently 6.4, MEDIUM severity. The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. Evidence is limited to public CVE and NVD data.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.633Z and has not been modified since then.