CVE-2026-12103 in Wallet for WooCommerce Plugininfo

Summary

by MITRE • 07/11/2026

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate the login name, email address, and user ID of all WordPress accounts — including administrators — by submitting arbitrary search terms to the AJAX handler. The required 'search-user' nonce is localized into the wallet_param object on the standard WooCommerce My Account page, which is accessible to any authenticated user, making it trivially obtainable by a Subscriber.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The Wallet for WooCommerce plugin presents a critical authorization bypass vulnerability that undermines fundamental security controls within WordPress ecosystems. This weakness affects all versions up to and including 1.6.4, creating a pathway for malicious actors to exploit the authentication mechanisms of e-commerce platforms. The vulnerability stems from insufficient verification processes that should ensure only authorized users can perform sensitive operations, allowing attackers with minimal privileges to escalate their access level and gain unauthorized insight into user accounts.

The technical flaw manifests through improper nonce handling within the plugin's AJAX implementation. Specifically, the 'search-user' nonce is exposed within the wallet_param object on the standard WooCommerce My Account page, which serves as a public entry point for all authenticated users regardless of their permission levels. This design decision eliminates the security barrier that nonces typically provide, as these cryptographic tokens are meant to prevent unauthorized requests by ensuring only legitimate users can execute specific actions. The nonce's exposure on a publicly accessible page means that any authenticated user, including subscribers, can easily extract this critical security element and subsequently abuse it for unauthorized account enumeration.

The operational impact of this vulnerability extends far beyond simple information disclosure, creating substantial risk for WordPress sites using the affected plugin. Attackers with subscriber-level access can systematically enumerate all WordPress accounts, obtaining login names, email addresses, and user IDs for every registered user including administrators who may have elevated privileges. This reconnaissance capability enables sophisticated attacks such as credential stuffing, targeted phishing campaigns, or further exploitation attempts against high-value administrator accounts. The vulnerability essentially transforms the plugin into a tool for passive reconnaissance that can be exploited by attackers without requiring additional privileges or complex attack vectors.

The weakness aligns with CWE-863, which addresses "Incorrect Authorization" in software systems, and demonstrates how insufficient access control mechanisms can create pathways for privilege escalation. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it enables adversaries to obtain valid credentials that can be used for further compromise. Organizations running affected versions of the plugin face significant exposure risks, particularly when combined with other vulnerabilities that may exist within their WordPress installations. The impact is amplified by the fact that this vulnerability requires no special technical skills to exploit, making it particularly dangerous in environments where multiple users have varying levels of access.

Mitigation strategies should prioritize immediate plugin updates to versions that address the authorization bypass issue, as this represents the most direct solution to the problem. Administrators must also conduct thorough security audits of their WordPress installations to identify any other plugins or themes that may exhibit similar authorization bypass behaviors. Additional protective measures include implementing stricter access controls on WooCommerce My Account pages, monitoring for unusual AJAX requests, and establishing robust user account monitoring systems that can detect enumeration attempts. Organizations should also consider deploying web application firewalls that can detect and block suspicious patterns associated with account enumeration attacks, while maintaining regular security assessments to identify similar vulnerabilities in other components of their digital infrastructure.

Responsible

Wordfence

Reservation

06/12/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!