CVE-2022-4938

Name of the Vulnerable Software and Affected Versions WCFM Frontend Manager plugin for WordPress versions up to, and including, 6.6.0

Description The issue allows unauthenticated attackers to perform various actions, such as modifying knowledge bases, notices, payments, managing vendors, and capabilities, by tricking a site's administrator into performing an action like clicking on a link. This is possible due to missing nonce checks on various AJAX actions, affecting hundreds of endpoints.

Recommendations For versions up to, and including, 6.6.0, update to a version that includes nonce checks on AJAX actions to prevent Cross-Site Request Forgery. As a temporary workaround, consider restricting access to AJAX endpoints until a patch is available. Avoid using the WCFM Frontend Manager plugin for WordPress until the issue is resolved.