The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Wordfence
Published: 2023-04-05T18:00:49.094Z
Updated: 2023-04-13T14:41:59.640Z
Reserved: 2023-04-05T18:00:11.381Z
Link: CVE-2022-4941
JSON object: View
NVD Information
Status : Modified
Published: 2023-04-05T19:15:07.620
Modified: 2023-11-07T03:59:22.557
Link: CVE-2022-4941
JSON object: View
Redhat Information
No data.
CWE
No CWE.