Unauthorized Data Modification in WCFM Membership Plugin for WordPress
CVE-2022-4940

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Wcfm Membership – WooCommerce Memberships For Multivendor Marketplace
Vendor: CVE Published:; 5 April 2023

What is CVE-2022-4940?

The WCFM Membership plugin for WordPress suffers from a serious authorization bypass vulnerability that allows unauthenticated attackers to perform unauthorized actions. Due to insufficient capability checks on various AJAX actions, attackers can modify membership details, alter renewal information, and manipulate membership approvals among other critical operations, thereby compromising the integrity and security of the application and its users.

Affected Version(s)

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace * <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Chloe Chamberland