The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Wordfence
Published: 2023-04-05T17:40:31.804Z
Updated: 2023-04-05T17:40:31.804Z
Reserved: 2023-04-05T17:38:54.077Z
Link: CVE-2022-4938
JSON object: View
NVD Information
Status : Modified
Published: 2023-04-05T18:15:07.517
Modified: 2023-11-07T03:59:21.847
Link: CVE-2022-4938
JSON object: View
Redhat Information
No data.
CWE
No CWE.