Unauthorized Data Modification in WCFM Membership Plugin for WordPress
CVE-2022-4940

7.3HIGH

Key Information:

Vendor
Wordpress
Status
Wcfm Membership – WooCommerce Memberships For Multivendor Marketplace
Vendor
CVE Published:
5 April 2023

Summary

The WCFM Membership plugin for WordPress suffers from a serious authorization bypass vulnerability that allows unauthenticated attackers to perform unauthorized actions. Due to insufficient capability checks on various AJAX actions, attackers can modify membership details, alter renewal information, and manipulate membership approvals among other critical operations, thereby compromising the integrity and security of the application and its users.

Affected Version(s)

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace * <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chloe Chamberland
.