CVE-2026-6709
Missing Authorization in Coinbase Commerce for Contact Form 7 WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contact_form_7 | coinbase_commerce | to 1.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Coinbase Commerce for Contact Form 7 plugin for WordPress, specifically in versions up to and including 1.1.2. It is caused by missing authorization checks and nonce verification in the save_settings() function, which is triggered by the admin_post_cccf7_save_settings hook.
Because of this, authenticated users with Subscriber-level access or higher can exploit the vulnerability by sending a crafted POST request to the /wp-admin/admin-post endpoint. This allows them to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) without proper permission.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low-level authenticated access (Subscriber or above) to overwrite the Coinbase Commerce API key used by the plugin.
By changing the API key, an attacker could potentially redirect payments or interfere with the plugin's intended functionality, leading to unauthorized financial transactions or disruption of commerce operations on the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the /wp-admin/admin-post endpoint, specifically targeting the admin_post_cccf7_save_settings hook. Since the vulnerability allows authenticated users with Subscriber-level access and above to overwrite the Coinbase Commerce API key via crafted POST requests, inspecting web server logs for unusual or unexpected POST requests to this endpoint may help identify exploitation attempts.
Commands to detect such activity could include using tools like grep or similar to search web server logs for POST requests to /wp-admin/admin-post with parameters related to cccf7_api_key or admin_post_cccf7_save_settings.
- grep 'POST /wp-admin/admin-post' /var/log/apache2/access.log | grep 'cccf7_api_key'
- grep 'admin_post_cccf7_save_settings' /var/log/apache2/access.log
Additionally, monitoring for changes to the plugin's stored options in the WordPress database related to cccf7_api_key could indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should restrict access to the affected plugin's settings endpoint and ensure that only trusted users with appropriate permissions can perform changes.
Since the vulnerability arises from missing authorization and nonce verification in the save_settings() function, applying updates or patches provided by the plugin developer that fix these issues is the most effective mitigation.
If an update is not yet available, consider temporarily disabling the Coinbase Commerce for Contact Form 7 plugin or restricting access to the /wp-admin/admin-post endpoint via web server configuration or firewall rules to prevent unauthorized POST requests.
Also, review and audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access.