First published: Wed Apr 05 2023(Updated: )
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Wclovers Wcfm Membership | <2.10.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of the WCFM Membership plugin for WordPress vulnerability is CVE-2022-4940.
The severity of CVE-2022-4940 is high with a severity value of 6.5.
Versions up to, and including, 2.10.0 of the WCFM Membership plugin for WordPress are affected by CVE-2022-4940.
The vulnerability in the WCFM Membership plugin for WordPress is due to missing capability checks on various AJAX actions.
Unauthenticated attackers can perform a wide variety of actions such as unauthorized modification and access of data.
Yes, the fix for CVE-2022-4940 is available through the latest version of the WCFM Membership plugin for WordPress.
More information about the CVE-2022-4940 vulnerability can be found at the following references: 1. [Reference 1](https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2605020%40wc-multivendor-membership&new=2605020%40wc-multivendor-membership&sfp_email=&sfph_mail=) 2. [Reference 2](https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632641%40wc-multivendor-membership&new=2632641%40wc-multivendor-membership&sfp_email=&sfph_mail=) 3. [Reference 3](https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2633191%40wc-multivendor-membership&new=2633191%40wc-multivendor-membership&sfp_email=&sfph_mail=)
The CWE ID associated with CVE-2022-4940 is CWE-862.