A vulnerability was found in wclovers WCFM Plugin up to 6.7.27 on WordPress and classified as critical. This issue affects the function
is_user_logged_in/current_user_can of the file wcfm-my-account-enquiry-manage.php of the component Enquiry Management. The manipulation of the argument reply_content results in authorization bypass.
This vulnerability is identified as CVE-2026-12994. The attack can be executed remotely. There is not any exploit available.