๐Ÿ” CVE Alert

CVE-2026-12103

MEDIUM 4.3

Wallet for WooCommerce <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) User/Email Enumeration via terawallet_export_user_search AJAX Action

CVSS Score
4.3
EPSS Score
0.3%
EPSS Percentile
21th

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate the login name, email address, and user ID of all WordPress accounts โ€” including administrators โ€” by submitting arbitrary search terms to the AJAX handler. The required 'search-user' nonce is localized into the wallet_param object on the standard WooCommerce My Account page, which is accessible to any authenticated user, making it trivially obtainable by a Subscriber.

CWE CWE-862
Vendor subratamal
Product wallet for woocommerce
Published Jul 11, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for subratamal wallet for woocommerce

Be the first to know when new medium vulnerabilities affecting subratamal wallet for woocommerce are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

subratamal / Wallet for WooCommerce
0 โ‰ค 1.6.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/98b38844-c6fe-4655-8bbe-7600203b567e?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/class-woo-wallet-ajax.php#L166 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/helper/woo-wallet-util.php#L1462 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/class-woo-wallet-frontend.php#L199 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.3/includes/class-woo-wallet-ajax.php#L56 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/class-woo-wallet-ajax.php#L166 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/helper/woo-wallet-util.php#L1462 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/class-woo-wallet-frontend.php#L199 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-wallet/tags/1.6.0/includes/class-woo-wallet-ajax.php#L56 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3585829%40woo-wallet&new=3585829%40woo-wallet

Credits

Mitchell