CVE-2026-12103
Received Received - Intake

Authorization Bypass in Wallet for WooCommerce Plugin

Vulnerability report for CVE-2026-12103, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate the login name, email address, and user ID of all WordPress accounts β€” including administrators β€” by submitting arbitrary search terms to the AJAX handler. The required 'search-user' nonce is localized into the wallet_param object on the standard WooCommerce My Account page, which is accessible to any authenticated user, making it trivially obtainable by a Subscriber.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce wallet to 1.6.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers with subscriber-level access to gather sensitive user information such as login names, email addresses, and user IDs of all accounts, including administrators.

Such information disclosure can facilitate further attacks like targeted phishing, social engineering, or brute force attacks against privileged accounts.

Although the vulnerability does not allow direct modification or deletion of data, the exposure of user details can compromise the security and privacy of the affected WordPress site.

Executive Summary

The Wallet for WooCommerce plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.6.4. This occurs because the plugin does not properly verify whether a user is authorized to perform certain actions.

As a result, authenticated users with subscriber-level access or higher can exploit this flaw to enumerate sensitive information such as login names, email addresses, and user IDs of all WordPress accounts, including administrators, by submitting arbitrary search terms to the AJAX handler.

The vulnerability is facilitated because the required 'search-user' nonce is available on the standard WooCommerce My Account page, which any authenticated user can access, making it easy for subscribers to obtain and exploit.

Compliance Impact

The vulnerability allows authenticated attackers with subscriber-level access to enumerate login names, email addresses, and user IDs of all WordPress accounts, including administrators. This exposure of personal data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require proper protection of personal and sensitive information.

Since the plugin does not properly verify user authorization, it risks unauthorized disclosure of user information, which is a violation of principles like data minimization and access control mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart