cbcvebase.
CVE-2022-4940
published 2023-04-05

CVE-2022-4940: The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing…

PriorityP276medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.08%
61.0th percentile
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.

Affected

2 ranges
VendorProductVersion rangeFixed in
wcloverswcfm_membership< 2.10.112.10.11
wcloverswcfm_membership_woocommerce_memberships_for_multivendor_marketplace<= 2.10.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=wcfm_ajax_controller&controller=wcfm-memberships&wcfm_ajax_nonce={{nonce}}&length=10&start=0&draw=1
path/wp-content/plugins/wc-multivendor-membership/
otherwc-multivendor-membership
  • Exploit sends an unauthenticated POST to /wp-admin/admin-ajax.php with action=wcfm_ajax_controller and controller set to one of the vulnerable AJAX actions (wcfm-memberships, wcfm-memberships-manage, wcfm-memberships-settings). No authentication cookies or capability tokens are required.
  • The exploit first performs a GET to the target homepage to extract the wcfm_ajax_nonce value using the regex '"wcfm_ajax_nonce":"([a-f0-9]+)"', then replays it in the unauthenticated AJAX POST — monitor for nonce harvesting followed immediately by unauthenticated admin-ajax.php POST requests.
  • Presence of the plugin directory path /wp-content/plugins/wc-multivendor-membership/ in HTTP responses can be used as a Shodan/Google dork to identify exposed vulnerable instances.
  • ·The vulnerability affects WCFM Membership plugin versions up to and including 2.10.0 only; version 2.10.1 and later are patched.
  • ·All three AJAX controller values (wcfm-memberships, wcfm-memberships-manage, wcfm-memberships-settings) are independently exploitable; detection rules should cover all three controller parameter values, not just wcfm-memberships.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.