CVE-2022-4940

HIGH EXPLOITED NUCLEI

WCFM Membership <2.10.0 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2022-4940 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.

Nuclei Templates (1)

WCFM Membership <= 2.10.0 - Broken Access Control

HIGHVERIFIEDby 0xanis

Shodan: http.html:"wc-multivendor-membership"

References (4)

Core 4

Core References

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2605020%40wc-multivendor-membership&new=2605020%40wc-multivendor-membership&sfp_email=&sfph_mail=

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632641%40wc-multivendor-membership&new=2632641%40wc-multivendor-membership&sfp_email=&sfph_mail=

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2633191%40wc-multivendor-membership&new=2633191%40wc-multivendor-membership&sfp_email=&sfph_mail=

Patch, Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd?source=cve

Scores

CVSS v3 7.3

EPSS 0.0108

EPSS Percentile 60.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2023-04-06

CWE

CWE-862

Status published

Products (2)

wclovers/WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.10.0

wclovers/wcfm_membership < 2.10.11

Published Apr 05, 2023

Tracked Since Feb 18, 2026