WordPress Plugin Vulnerabilities

WCFM Marketplace < 3.4.12 - Subscriber+ Unauthorised AJAX Calls

Description

The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify shipping method details/products, delete arbitrary posts, as well as lead to privilege escalation.

Affects Plugins

Plugin icon
wc-multivendor-marketplace
Fixed in 3.4.12

References

CVE
CVE-2022-4935

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
987fe51c-2095-4200-bd22-b52b4fd4683a

Timeline

Publicly Published
2023-04-05 (about 3 years ago)
Added
2023-04-06 (about 3 years ago)
Last Updated
2023-04-06 (about 3 years ago)

Other

Published
Title
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to Enable/Disable Dark Mode
Published
2024-05-17
Title
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
Published
2026-03-01
Title
ShopWP <= 5.2.4 - Missing Authorization
Published
2024-04-19
Title
Active Products Tables for WooCommerce < 1.0.6.3 - Missing Authorization
Published
2025-10-30
Title
ERI File Library < 1.1.1 - Missing Authorization to Unauthenticated Protected File Download