The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
References
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:59
Type | Values Removed | Values Added |
---|---|---|
CWE |
Information
Published : 2023-04-05 18:15
Updated : 2024-02-28 20:13
NVD link : CVE-2022-4938
Mitre link : CVE-2022-4938
CVE.ORG link : CVE-2022-4938
JSON object : View
Products Affected
wclovers
- frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
CWE
No CWE.