We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Coinbase Commerce for Contact Form 7 Plugin Vulnerability (CVE-2026-6709)

Nick Paliughi
On this page

Security Alert Summary

The Coinbase Commerce for Contact Form 7 plugin for WordPress has a missing authorization vulnerability that allows authenticated users with Subscriber-level access or higher to overwrite the plugin’s stored Coinbase Commerce API key via a crafted POST request to the WordPress admin-post endpoint. The issue is caused by a missing capability check and missing nonce verification in the plugin’s save_settings() handler.

CVE Details

  • CVE ID: CVE-2026-6709
  • Affected component: Coinbase Commerce for Contact Form 7 plugin for WordPress
  • Affected versions: Versions up to and including 1.1.2
  • Published: May 12, 2026 at 9:16:56 AM UTC
  • Last modified: May 12, 2026 at 2:03:52 PM UTC
  • CVSS v3.1 base score: 4.3
  • CVSS v3.1 severity: MEDIUM
  • CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user with low privileges (PR:L). The plugin can be abused without user interaction (UI:N). The vendor advisory notes that authenticated attackers with Subscriber-level access and above can exploit the issue.
  • Primary impact: Confidentiality: None; Integrity: Low (option value can be modified); Availability: None
  • Weakness (CWE): CWE-862 (Missing Authorization)

Technical Details

The plugin’s save_settings() function, which is registered on the admin_post_cccf7_save_settings hook, does not perform a capability check or verify a nonce before saving settings. Because these checks are missing, an authenticated user with Subscriber-level privileges or higher can send a crafted POST request to /wp-admin/admin-post that targets the plugin handler and overwrite the plugin option that stores the Coinbase Commerce API key (cccf7_api_key).

The vulnerability exists specifically due to missing authorization and nonce verification in the request handling path. The immediate technical impact is that the integrity of the plugin option cccf7_api_key can be changed by low-privileged authenticated users. The description does not state any additional endpoints or functions beyond save_settings(), the admin_post_cccf7_save_settings hook, and the option name.

How This Could Impact Your Website

In a realistic site scenario, the site owner maintains the site and delegates tasks to internal staff and external contributors or contractors. If an authenticated low-privilege user (for example, a contributor or subscriber account used for posting comments or submitting forms) can overwrite the plugin’s API key, that change could interfere with or redirect payment processing that relies on the stored Coinbase Commerce key. Even if no site data is disclosed by this vulnerability, altering payment configuration may cause failed payments or misdirected transactions and could be used as part of wider social engineering or payment fraud attempts.

This situation may also increase the chance of targeted phishing or social engineering against staff or contractors if attackers are able to manipulate payment behavior or contact flows and then impersonate trusted parties. If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and accounts, especially contributors and subscribers that do not need access to admin-post actions.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins from your installation.
  • Monitor site activity and logs for unusual POST requests to /wp-admin/admin-post or unexpected changes to site options.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WP SEO Structured Data Schema Plugin Vulnerability (CVE-2026-3604)
Next Post
Credits Shortcode Plugin Vulnerability (CVE-2026-6256)