CVE-2022-4940

HIGH EXPLOITED NUCLEI

WCFM Membership <2.10.0 - Info Disclosure

Title source: llm

Description

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.

Nuclei Templates (1)

WCFM Membership <= 2.10.0 - Broken Access Control

HIGHVERIFIEDby 0xanis

Shodan: http.html:"wc-multivendor-membership"

References (4)

[Patch] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2605020%40wc-multivendor-membership&new=2605020%40wc-multivendor-membership&sfp_email=&sfph_mail=

[Patch] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632641%40wc-multivendor-membership&new=2632641%40wc-multivendor-membership&sfp_email=&sfph_mail=

[Patch] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2633191%40wc-multivendor-membership&new=2633191%40wc-multivendor-membership&sfp_email=&sfph_mail=

[Patch, Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd?source=cve

Scores

CVSS v3 7.3

EPSS 0.1404

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

VulnCheck KEV 2023-04-06

CWE

CWE-862

Status published

Products (2)

wclovers/wcfm_membership < 2.10.11

wclovers/WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.10.0

Published Apr 05, 2023

Tracked Since Feb 18, 2026