Cross-Site Request Forgery in WCFM Membership Plugin for WordPress
CVE-2022-4941

6.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Wcfm Membership – WooCommerce Memberships For Multivendor Marketplace
Vendor: CVE Published:; 5 April 2023

What is CVE-2022-4941?

The WCFM Membership plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit the lack of nonce checks on various AJAX actions. Specifically, this could enable attackers to manipulate membership details, alter renewal information, and influence membership approvals through crafted requests, provided they can deceive a site administrator into executing a malicious link. This issue affects versions up to and including 2.9.10, presenting a significant risk to the integrity and management of membership functionalities.

Affected Version(s)

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace * <= 2.9.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Chloe Chamberland