CVE-2026-21722

Published Feb 12, 2026

Last updated 12 hours ago

CVSS medium 5.3
IDOR
WCFM Marketplace

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-21722 describes an Insecure Direct Object Reference (IDOR) vulnerability found in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. This flaw affects all plugin versions up to and including 3.7.0. The vulnerability stems from insufficient authorization checks within the `wcfm-refund-requests-form` AJAX controller. This oversight enables unauthenticated attackers to generate arbitrary refund requests for any order or item ID.

Description
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
Source
security@grafana.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

16

  1. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour early. PoCs and more at h

    @spaceraccoonsec

    11 Feb 2026

    9552 Impressions

    23 Retweets

    188 Likes

    84 Bookmarks

    0 Replies

    0 Quotes

  2. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour head start. PoCs and more

    @spaceraccoonsec

    11 Feb 2026

    881 Impressions

    0 Retweets

    15 Likes

    2 Bookmarks

    1 Reply

    1 Quote

  3. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-4117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour head start. PoCs and more

    @spaceraccoonsec

    11 Feb 2026

    842 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-4117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits and pull requests in the open-source repo. PoCs and more at https://t.co/v6P

    @spaceraccoonsec

    11 Feb 2026

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.