CVE-2026-12126
Received Received - Intake

Stored XSS in WCFM Marketplace WooCommerce Plugin

Vulnerability report for CVE-2026-12126, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wcfm marketplace to 3.7.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WCFM Marketplace plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'post_title' field of media attachments. This happens because the plugin does not properly sanitize or escape input and output data. Authenticated users with Vendor-level access or higher can upload media with a specially crafted title containing malicious scripts. These scripts are then stored and executed whenever a privileged user views the media dashboard, as the unsafe title is inserted directly into the page's HTML.

Impact Analysis

This vulnerability allows attackers with certain access privileges to inject malicious scripts that execute in the browsers of other privileged users. This can lead to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the victim user. Since the attack is stored and triggers upon viewing the media dashboard, it can affect multiple users and compromise the security of the WordPress site.

Compliance Impact

The vulnerability allows authenticated attackers with Vendor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access or manipulation of data when privileged users access the affected pages.

Such unauthorized script execution could potentially expose sensitive user information or administrative functions, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data against unauthorized access or disclosure.

However, the provided information does not explicitly detail the direct compliance impact or specific regulatory violations caused by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart