Vulnerability Description
The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wclovers | Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | <= 6.5.13 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4PatchThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4PatchThird Party Advisory
FAQ
What is CVE-2022-4938?
CVE-2022-4938 is a vulnerability with a CVSS score of 6.3 (MEDIUM). The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it po...
How severe is CVE-2022-4938?
CVE-2022-4938 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-4938?
Check the references section above for vendor advisories and patch information. Affected products include: Wclovers Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible.