The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
References
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:59
Type | Values Removed | Values Added |
---|---|---|
CWE |
11 Apr 2023, 18:24
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632630%40wc-frontend-manager&new=2632630%40wc-frontend-manager&sfp_email=&sfph_mail= - Patch | |
References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4d-8a96b388b314?source=cve - Patch, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Wclovers frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
Wclovers |
|
CPE | cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:* |
05 Apr 2023, 18:47
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-05 18:15
Updated : 2023-12-10 15:01
NVD link : CVE-2022-4938
Mitre link : CVE-2022-4938
CVE.ORG link : CVE-2022-4938
JSON object : View
Products Affected
wclovers
- frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
CWE
No CWE.