Cross-Site Request Forgery in WCFM Membership Plugin for WordPress
CVE-2022-4941

6.3MEDIUM

Key Information:

Vendor

Wordpress
Status
Wcfm Membership – WooCommerce Memberships For Multivendor Marketplace
Vendor
CVE Published:
5 April 2023

What is CVE-2022-4941?

The WCFM Membership plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit the lack of nonce checks on various AJAX actions. Specifically, this could enable attackers to manipulate membership details, alter renewal information, and influence membership approvals through crafted requests, provided they can deceive a site administrator into executing a malicious link. This issue affects versions up to and including 2.9.10, presenting a significant risk to the integrity and management of membership functionalities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace * <= 2.9.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chloe Chamberland
JSON
.