WordPress Plugin Vulnerabilities

WCFM Frontend Manager < 6.6.1 - Subscriber+ Unauthorised AJAX Calls

Description

The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify knowledge bases/notices/payments, manage vendors etc

Affects Plugins

Plugin icon
wc-frontend-manager
Fixed in 6.6.1

References

CVE
CVE-2022-4937

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
9b73853e-6935-4b92-851b-1c5fc0a264f0

Timeline

Publicly Published
2023-04-05 (about 3 years ago)
Added
2023-04-06 (about 3 years ago)
Last Updated
2023-04-06 (about 3 years ago)

Other

Published
Title
Published
2026-01-06
Title
Better Business Reviews < 0.1.2 - Missing Authorization
Published
2024-06-14
Title
Popup Builder – Create highly converting, mobile friendly marketing popups < 4.3.2 - Missing Authorization and Nonce Exposure
Published
2024-12-05
Title
Pinpoint Booking System < 2.9.9.5.8 - Missing Authorization
Published
2021-12-22
Title
Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion
Published
2026-01-22
Title
Listihub <= 1.0.6 - Missing Authorization