Cross-Site Request Forgery Vulnerability in WCFM Frontend Manager for WordPress
CVE-2022-4938

6.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Wcfm – Frontend Manager For WooCommerce Along With Bookings Subscription Listings Compatible
Vendor: CVE Published:; 5 April 2023

What is CVE-2022-4938?

The WCFM Frontend Manager plugin for WordPress has a Cross-Site Request Forgery vulnerability due to insufficient nonce checks on multiple AJAX actions. This flaw allows unauthenticated attackers to exploit the system by tricking site administrators into performing unintended actions through manipulated requests. Attackers could modify various aspects of the site, including knowledge bases, notices, payments, and vendor management, thereby compromising site integrity. This vulnerability affects numerous AJAX endpoints within the affected versions, emphasizing the need for prompt remediation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible * <= 6.5.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Chloe Chamberland

JSON

Wordpress