Cross-Site Request Forgery Vulnerability in WCFM Frontend Manager for WordPress
CVE-2022-4938
6.3MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 5 April 2023
Summary
The WCFM Frontend Manager plugin for WordPress has a Cross-Site Request Forgery vulnerability due to insufficient nonce checks on multiple AJAX actions. This flaw allows unauthenticated attackers to exploit the system by tricking site administrators into performing unintended actions through manipulated requests. Attackers could modify various aspects of the site, including knowledge bases, notices, payments, and vendor management, thereby compromising site integrity. This vulnerability affects numerous AJAX endpoints within the affected versions, emphasizing the need for prompt remediation.
Affected Version(s)
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible * <= 6.5.13
References
CVSS V3.1
Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Chloe Chamberland