CVE-2022-4938
MEDIUMWCFM Frontend Manager for WooCommerce <= 6.6.0 - Cross-Site Request Forgery via Missing Nonce Checks
Title source: llmDescription
The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4d-8a96b388b314?source=cve
Scores
CVSS v3
6.3
EPSS
0.0025
EPSS Percentile
16.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
wclovers/frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
< 6.5.13
wclovers/WCFM – Frontend Manager for WooCommerce
< 6.5.13
Published
Apr 05, 2023
Tracked Since
Feb 18, 2026