cleantalk
Vulnerabilities and Security Researches

Coinbase Commerce for Contact Form 7, CVE-2026-6709

CVE, Research URL

CVE-2026-6709

Home page URL

Security reports for Coinbase Commerce for Contact Form 7

Application

Coinbase Commerce for Contact Form 7

Published on
May 12, 2026
Research Description
The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save_settings() function, which is registered on the admin_post_cccf7_save_settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) via a crafted POST request to /wp-admin/admin-post.
Affected versions
max 1.1.2.
Status
vulnerable
Previous vulnerability researches
Advanced Product Search for WooCommerce – Motive Commerce Search (CVE-2026-42664) , May 13, 2026
New vulnerability
Pricing Tables for WP (CVE-2026-6808) , May 14, 2026
Next Date (CVE-2026-4920) , May 14, 2026
Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings (CVE-2026-4301) , May 14, 2026
Shortcodely (CVE-2026-6913) , May 14, 2026
Graphic Web Design, Inc. Manager (CVE-2026-6663) , May 14, 2026