CVE-2022-4938 Information
Description
The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases modifying notices modifying payments managing vendors capabilities and so much more via a forged request granted they can trick a site’s administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
Reference
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632630%40wc-frontend-manager&new=2632630%40wc-frontend-manager&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4d-8a96b388b314?source=cve
Share on: