CVE-2022-4941
MEDIUMWCFM Membership < 2.9.10 - Cross-Site Request Forgery via Missing Nonce Checks
Title source: llmDescription
The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/3758db41-a3c5-436a-bb9a-5886f10d1519?source=cve
Scores
CVSS v3
6.3
EPSS
0.0032
EPSS Percentile
23.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
wclovers/WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
< 2.9.10
wclovers/wcfm_membership
< 2.10.0
Published
Apr 05, 2023
Tracked Since
Feb 18, 2026