CVE-2022-4936
MEDIUMWCFM Marketplace < 3.4.12 - Cross-Site Request Forgery via Missing Nonce Checks
Title source: llmDescription
The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/5c2cc9a3-cd20-4c9e-baa4-1aea69f84331?source=cve
Scores
CVSS v3
6.3
EPSS
0.0025
EPSS Percentile
16.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
wclovers/WCFM Marketplace – Multivendor Marketplace for WooCommerce
< 3.4.12
wclovers/wcfm_marketplace
< 3.4.12
Published
Apr 05, 2023
Tracked Since
Feb 18, 2026