CVE-2022-4940
published 2023-04-05CVE-2022-4940: The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing…
PriorityP276medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.08%
61.0th percentile
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wclovers | wcfm_membership | < 2.10.11 | 2.10.11 |
| wclovers | wcfm_membership_woocommerce_memberships_for_multivendor_marketplace | <= 2.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
commandaction=wcfm_ajax_controller&controller=wcfm-memberships&wcfm_ajax_nonce={{nonce}}&length=10&start=0&draw=1
path/wp-content/plugins/wc-multivendor-membership/
otherwc-multivendor-membership
- →Exploit sends an unauthenticated POST to /wp-admin/admin-ajax.php with action=wcfm_ajax_controller and controller set to one of the vulnerable AJAX actions (wcfm-memberships, wcfm-memberships-manage, wcfm-memberships-settings). No authentication cookies or capability tokens are required. ↗
- →The exploit first performs a GET to the target homepage to extract the wcfm_ajax_nonce value using the regex '"wcfm_ajax_nonce":"([a-f0-9]+)"', then replays it in the unauthenticated AJAX POST — monitor for nonce harvesting followed immediately by unauthenticated admin-ajax.php POST requests.
- →Presence of the plugin directory path /wp-content/plugins/wc-multivendor-membership/ in HTTP responses can be used as a Shodan/Google dork to identify exposed vulnerable instances.
- ·The vulnerability affects WCFM Membership plugin versions up to and including 2.10.0 only; version 2.10.1 and later are patched. ↗
- ·All three AJAX controller values (wcfm-memberships, wcfm-memberships-manage, wcfm-memberships-settings) are independently exploitable; detection rules should cover all three controller parameter values, not just wcfm-memberships.
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7f48-x47w-f5p2: The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2
ghsa_unreviewed·2023-04-05
CVE-2022-4940 [MEDIUM] CWE-862 GHSA-7f48-x47w-f5p2: The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.
VulnCheck
WCFM Membership Plugin for WordPress AJAX Vulnerability
vulncheck·2022·CVSS 7.3
CVE-2022-4940 [HIGH] WCFM Membership Plugin for WordPress AJAX Vulnerability
WCFM Membership Plugin for WordPress AJAX Vulnerability
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more.
Affected: wclovers wcfm_membership
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/wc-multivendor-membership/wordpress-wcfm-membership-plugin-2-10-0-missing-
No detection rules found.
Nuclei
WCFM Membership <= 2.10.0 - Broken Access Control
nuclei·CVSS 6.5
CVE-2022-4940 [MEDIUM] WCFM Membership <= 2.10.0 - Broken Access Control
WCFM Membership <= 2.10.0 - Broken Access Control
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings.
Template:
id: CVE-2022-4940
info:
name: WCFM Membership <= 2.10.0 - Broken Access Control
author: 0xanis
severity: high
description: |
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings.
impact: |
Unauthenticated attackers can modify membership detai
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2605020%40wc-multivendor-membership&new=2605020%40wc-multivendor-membership&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632641%40wc-multivendor-membership&new=2632641%40wc-multivendor-membership&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2633191%40wc-multivendor-membership&new=2633191%40wc-multivendor-membership&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2605020%40wc-multivendor-membership&new=2605020%40wc-multivendor-membership&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632641%40wc-multivendor-membership&new=2632641%40wc-multivendor-membership&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2633191%40wc-multivendor-membership&new=2633191%40wc-multivendor-membership&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd?source=cve
2023-04-05
Published
Exploited in the wild