CVE-2026-12126 in WCFM Marketplace Plugininfo

Summary

by MITRE • 07/11/2026

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability in the WCFM Marketplace plugin represents a critical stored cross-site scripting flaw that affects versions up to and including 3.7.3, operating within the WordPress ecosystem and specifically targeting the WooCommerce multivendor marketplace functionality. This security weakness stems from inadequate input sanitization mechanisms and insufficient output escaping practices within the plugin's codebase, creating a persistent threat vector that can be exploited by authenticated attackers possessing vendor-level permissions or higher. The vulnerability manifests through the manipulation of media attachment titles, which are processed through the WordPress REST API endpoint at /wp-json/wp/v2/media, allowing malicious actors to inject malicious scripts into the system without requiring direct interaction with AJAX endpoints.

The technical exploitation occurs when an attacker uploads a crafted media attachment containing malicious JavaScript within the post_title field, leveraging their privileged access to the WordPress media management interface. Once uploaded, this malicious content bypasses proper sanitization controls and remains stored within the system's database. When any privileged user accesses the media dashboard, the unescaped title value is retrieved from the database, processed through DataTables JSON formatting, and subsequently injected as innerHTML into web pages, creating a persistent XSS payload execution environment. This vulnerability operates at the intersection of multiple security domains, with the root cause mapping to CWE-79 (Cross-Site Scripting) and the specific implementation flaw corresponding to CWE-601 (URL Redirection to Untrusted Site) when considering the data flow through REST API endpoints.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, steal sensitive user credentials, manipulate dashboard functionality, and potentially escalate privileges within the compromised environment. The persistent nature of stored XSS means that every privileged user who loads the affected media dashboard becomes a potential victim, creating an attack surface that grows with the number of authenticated users with vendor-level access or higher. This vulnerability directly aligns with ATT&CK technique T1566.002 (Phishing via Service) and T1059.007 (Scripting), as it enables attackers to establish persistent web-based attack vectors that can compromise user sessions and execute arbitrary code within the context of privileged users' browsers.

Security mitigations for this vulnerability must address multiple layers of protection, beginning with immediate input validation and sanitization of all user-supplied data within the WordPress REST API endpoints, particularly focusing on the media attachment title field. The plugin should implement proper output escaping mechanisms when rendering stored values in HTML contexts, ensuring that all data elements are properly encoded before insertion into DOM structures. Additionally, access controls should be reviewed to ensure that vendor-level users have appropriate restrictions on media upload capabilities, and that administrative functions perform comprehensive validation of all input parameters. Organizations should also implement network-based protections such as web application firewalls that can detect and block suspicious payloads in REST API requests, while monitoring for anomalous activity patterns in media management operations. The vulnerability highlights the critical importance of defense-in-depth strategies and proper security coding practices, particularly when handling user-supplied data in web applications that operate within privileged contexts.

Responsible

Wordfence

Reservation

06/12/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!