PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12994 wclovers CVE debrief

The WCFM – Frontend Manager for WooCommerce plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. As a result, unauthenticated attackers can inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. The vulnerability exists in the wcfm-my-account-enquiry-manage branch of the plugin, which does not perform the necessary is_user_logged_in() or current_user_can() checks. Instead, it relies solely on a nonce that is embedded into every public page load without any login gate.

Vendor
wclovers
Product
WCFM – Frontend Manager for WooCommerce
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Users of WCFM – Frontend Manager for WooCommerce plugin for WordPress, particularly those with WooCommerce-based online stores, should be aware of this vulnerability and take immediate action to update to a patched version. This includes site administrators, security teams, and operators responsible for maintaining WordPress installations with the affected plugin. The vulnerability's impact on data integrity and potential for unsolicited notification emails necessitates prompt attention.

Technical summary

The vulnerability exists in the wcfm-my-account-enquiry-manage branch of the WCFM – Frontend Manager for WooCommerce plugin, which does not perform the necessary is_user_logged_in() or current_user_can() checks. Instead, it relies solely on a nonce that is embedded into every public page load without any login gate. This allows unauthenticated attackers to exploit the vulnerability, enabling them to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. The plugin's failure to verify user authorization properly exposes a significant risk to WooCommerce site operators.

Defensive priority

Highly Critical

Recommended defensive actions

  • Update to a patched version of the plugin immediately
  • Verify that the plugin is properly configured and review current settings
  • Monitor for suspicious activity related to store inquiries and notification emails
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Perform a thorough review of the plugin's integration with WooCommerce and WordPress for any potential security gaps

Evidence notes

The vulnerability was reported by [email protected] and is tracked in CVE-2026-12994. The reporter provided evidence of the authorization bypass, which allows unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. The WCFM – Frontend Manager for WooCommerce plugin for WordPress has a known vulnerability with limited scope and severity. Defenders should verify the affected product deployments in managed environments and review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.900Z and has not been modified since then.