CVE-2026-12103
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
11/07/2026
Última modificación:
11/07/2026
Descripción
*** Pendiente de traducción *** The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate the login name, email address, and user ID of all WordPress accounts — including administrators — by submitting arbitrary search terms to the AJAX handler. The required 'search-user' nonce is localized into the wallet_param object on the standard WooCommerce My Account page, which is accessible to any authenticated user, making it trivially obtainable by a Subscriber.
Impacto
Puntuación base 3.x
4.30
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/class-woo-wallet-ajax.php#L166
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/class-woo-wallet-ajax.php#L56
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/class-woo-wallet-frontend.php#L199
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/helper/woo-wallet-util.php#L1462
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/class-woo-wallet-ajax.php#L166
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/class-woo-wallet-ajax.php#L56
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/class-woo-wallet-frontend.php#L199
- https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/helper/woo-wallet-util.php#L1462
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3585829%40woo-wallet&new=3585829%40woo-wallet
- https://www.wordfence.com/threat-intel/vulnerabilities/id/98b38844-c6fe-4655-8bbe-7600203b567e?source=cve



