PatchSiren cyber security CVE debrief
CVE-2026-12994 wclovers CVE debrief
The WCFM – Frontend Manager for WooCommerce plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. As a result, unauthenticated attackers can inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. The vulnerability exists in the wcfm-my-account-enquiry-manage branch of the plugin, which does not perform the necessary is_user_logged_in() or current_user_can() checks. Instead, it relies solely on a nonce that is embedded into every public page load without any login gate.
- Vendor
- wclovers
- Product
- WCFM – Frontend Manager for WooCommerce
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of WCFM – Frontend Manager for WooCommerce plugin for WordPress, particularly those with WooCommerce-based online stores, should be aware of this vulnerability and take immediate action to update to a patched version. This includes site administrators, security teams, and operators responsible for maintaining WordPress installations with the affected plugin. The vulnerability's impact on data integrity and potential for unsolicited notification emails necessitates prompt attention.
Technical summary
The vulnerability exists in the wcfm-my-account-enquiry-manage branch of the WCFM – Frontend Manager for WooCommerce plugin, which does not perform the necessary is_user_logged_in() or current_user_can() checks. Instead, it relies solely on a nonce that is embedded into every public page load without any login gate. This allows unauthenticated attackers to exploit the vulnerability, enabling them to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. The plugin's failure to verify user authorization properly exposes a significant risk to WooCommerce site operators.
Defensive priority
Highly Critical
Recommended defensive actions
- Update to a patched version of the plugin immediately
- Verify that the plugin is properly configured and review current settings
- Monitor for suspicious activity related to store inquiries and notification emails
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Perform a thorough review of the plugin's integration with WooCommerce and WordPress for any potential security gaps
Evidence notes
The vulnerability was reported by [email protected] and is tracked in CVE-2026-12994. The reporter provided evidence of the authorization bypass, which allows unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. The WCFM – Frontend Manager for WooCommerce plugin for WordPress has a known vulnerability with limited scope and severity. Defenders should verify the affected product deployments in managed environments and review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.900Z and has not been modified since then.