First published: Wed Apr 05 2023(Updated: )
THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can then register as an administrator.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Wclovers Wcfm Membership | <2.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-4939 is a vulnerability in the WCFM Membership plugin for WordPress that allows unauthenticated attackers to perform privilege escalation.
CVE-2022-4939 has a severity rating of 9.8 (critical).
Versions up to and including 2.10.0 of the WCFM Membership plugin for WordPress are affected by CVE-2022-4939.
Unauthenticated attackers can exploit CVE-2022-4939 by exploiting a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings.
Yes, updating to version 2.10.1 or later of the WCFM Membership plugin for WordPress fixes CVE-2022-4939.