CVE-2026-6709: WordPress Coinbase Commerce Auth Bypass

CVE-2026-6709 Overview

CVE-2026-6709 is a Missing Authorization vulnerability [CWE-862] in the Coinbase Commerce for Contact Form 7 plugin for WordPress, affecting versions up to and including 1.1.2. The flaw resides in the save_settings() function registered on the admin_post_cccf7_save_settings hook, which lacks both a capability check and a nonce verification. Authenticated users with Subscriber-level access or above can submit a crafted POST request to /wp-admin/admin-post.php and overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key). The issue carries a CVSS score of 4.3 and an EPSS probability of 0.031%.

Critical Impact

A low-privileged authenticated attacker can overwrite the site's stored Coinbase Commerce API key, redirecting cryptocurrency payment processing to an attacker-controlled account.

Affected Products

• Coinbase Commerce for Contact Form 7 plugin for WordPress, versions up to and including 1.1.2
• WordPress sites running the affected plugin with Subscriber-level (or higher) user registration enabled
• Sites integrating Coinbase Commerce payments through Contact Form 7 forms

Discovery Timeline

• 2026-05-12 - CVE-2026-6709 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-6709

Vulnerability Analysis

The vulnerability is a classic broken access control issue in a WordPress plugin's settings handler. The save_settings() function is bound to the admin_post_cccf7_save_settings action hook. WordPress fires this hook for any authenticated user who issues a POST request to /wp-admin/admin-post.php with the matching action parameter. Because the handler omits both a current_user_can() capability check and a check_admin_referer() nonce verification, any logged-in user can trigger the settings save path.

The handler writes the submitted cccf7_api_key value into the WordPress options table. After overwriting, payment flows initiated through the integrated Contact Form 7 form will be tied to the attacker's Coinbase Commerce account rather than the site owner's. Funds intended for the merchant can be diverted without any administrative action.

Root Cause

The root cause is twofold: a missing authorization check and a missing CSRF protection token. Sensitive option writes should be restricted to users holding manage_options and protected by a verified nonce. The plugin assumes the request originates from an administrator simply because the endpoint lives under /wp-admin/, which is not enforced by WordPress for admin-post.php handlers.

Attack Vector

An attacker registers or compromises any Subscriber-level account on a target WordPress site. They then send a POST request to /wp-admin/admin-post.php containing action=cccf7_save_settings and a cccf7_api_key parameter set to an attacker-controlled Coinbase Commerce API key. The plugin persists the value, and future payment events route to the attacker. See the Wordfence Vulnerability Report and the affected source at class-admin-settings.php#L231 for technical specifics.

Detection Methods for CVE-2026-6709

Indicators of Compromise

• Unexpected modification of the cccf7_api_key value in the wp_options table without a corresponding administrator login session.
• POST requests to /wp-admin/admin-post.php with action=cccf7_save_settings originating from non-administrator user accounts.
• New or recently created Subscriber-level accounts that subsequently access /wp-admin/admin-post.php.
• Coinbase Commerce dashboard webhooks or payouts referencing an account not owned by the merchant.

Detection Strategies

• Monitor web server access logs for POST requests targeting admin-post.php with the cccf7_save_settings action and correlate the authenticated user role.
• Audit the WordPress options table for changes to cccf7_api_key and alert when the value differs from a known-good baseline.
• Enable WordPress audit logging plugins to record option updates and the user ID responsible for each change.

Monitoring Recommendations

• Track creation of Subscriber-level accounts on sites that do not require public registration.
• Alert on any non-administrator user submitting requests to /wp-admin/admin-post.php handlers that mutate plugin configuration.
• Reconcile Coinbase Commerce payout destinations against the configured merchant account on a recurring schedule.

How to Mitigate CVE-2026-6709

Immediate Actions Required

• Update the Coinbase Commerce for Contact Form 7 plugin to a version newer than 1.1.2 once a fixed release is published by the maintainer.
• Rotate the Coinbase Commerce API key in the Coinbase dashboard and re-enter the new key in WordPress to invalidate any attacker-supplied value.
• Audit the current value of cccf7_api_key in the wp_options table and confirm it matches the merchant's legitimate Coinbase Commerce API key.
• Review and remove unnecessary Subscriber-level accounts; disable open registration if it is not required.

Patch Information

At the time of publication, the vulnerability affects all versions up to and including 1.1.2. Site operators should consult the Wordfence Vulnerability Report for fixed version information and apply the vendor patch through the WordPress plugin updater.

Workarounds

• Deactivate the Coinbase Commerce for Contact Form 7 plugin until a patched version is installed.
• Restrict access to /wp-admin/admin-post.php via a web application firewall (WAF) rule that blocks requests with action=cccf7_save_settings from non-administrator users.
• Disable new user registration in WordPress (Settings → General → Membership) to reduce the pool of authenticated attackers.
• Enforce strong authentication (multi-factor) on all administrator accounts to limit lateral risk if a Subscriber account is compromised.

# Disable WordPress user self-registration via WP-CLI
wp option update users_can_register 0

# Inspect the current Coinbase Commerce API key stored by the plugin
wp option get cccf7_api_key

# Deactivate the vulnerable plugin until a patched version is available
wp plugin deactivate coinbase-commerce-for-contact-form-7