CVE-2022-4939

Name of the Vulnerable Software and Affected Versions WCFM Membership plugin for WordPress versions up to, and including 2.10.0

Description The issue is related to a missing capability check on the wp ajax nopriv wcfm ajax controller AJAX action, which controls membership settings. This allows unauthenticated attackers to modify the membership registration form, enabling them to set the role for registration to that of any user, including administrators. Once configured, the attacker can then register as an administrator.

Recommendations For versions up to, and including 2.10.0, update to a version higher than 2.10.0 to resolve the issue. As a temporary workaround, consider disabling the wp ajax nopriv wcfm ajax controller AJAX action until a patch is available. Restrict access to the membership registration form to minimize the risk of exploitation. Avoid using the vulnerable wp ajax nopriv wcfm ajax controller AJAX action in the affected plugin until the issue is resolved.