WordPress Plugin Vulnerabilities

WCFM Membership < 2.10.1 - Unauthenticated AJAX Calls

Description

The plugin does not have authorisation in various AJAX actions, allowing unauthenticated attackers to call them and modify membership details/renewal information etc

Affects Plugins

Plugin icon
wc-multivendor-membership
Fixed in 2.10.1

References

CVE
CVE-2022-4940

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
41bdf07c-d707-436b-8cfc-5ef852f0b7f5

Timeline

Publicly Published
2023-04-05 (about 2 years ago)
Added
2023-04-06 (about 2 years ago)
Last Updated
2023-04-26 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Taskbuilder < 4.0.8 - Missing Authorization
Published
2025-03-27
Title
Greek Multi Tool – Fix peralinks, accents, auto create menus and more < 2.3.2 - Missing Authorization
Published
2024-12-11
Title
de:branding <= 1.0.2 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2026-01-16
Title
Payment Button for PayPal < 1.2.3.42 - Missing Authorization to Unauthenticated Arbitrary Order Creation
Published
2025-07-16
Title
Hestia < 3.2.11 - Missing Authorization