CVE-2022-4939
First published: Wed Apr 05 2023(Updated: )
THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can then register as an administrator.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Wclovers Wcfm Membership | <2.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-4939?
CVE-2022-4939 is a vulnerability in the WCFM Membership plugin for WordPress that allows unauthenticated attackers to perform privilege escalation.
How severe is CVE-2022-4939?
CVE-2022-4939 has a severity rating of 9.8 (critical).
Which versions of the WCFM Membership plugin for WordPress are affected by CVE-2022-4939?
Versions up to and including 2.10.0 of the WCFM Membership plugin for WordPress are affected by CVE-2022-4939.
How can unauthenticated attackers exploit CVE-2022-4939?
Unauthenticated attackers can exploit CVE-2022-4939 by exploiting a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings.
Is there a fix for CVE-2022-4939?
Yes, updating to version 2.10.1 or later of the WCFM Membership plugin for WordPress fixes CVE-2022-4939.
- collector/nvd-index
- agent/weakness
- agent/author
- vendor/wclovers
- canonical/wclovers wcfm membership