CVE-2022-4941

Name of the Vulnerable Software and Affected Versions WCFM Membership plugin for WordPress versions up to, and including, 2.9.10

Description The issue allows unauthenticated attackers to perform various actions, such as modifying membership details, changing renewal information, controlling membership approvals, and more, via a forged request. This is possible because the plugin is missing nonce checks on various AJAX actions, making it vulnerable to Cross-Site Request Forgery. Attackers can exploit this by tricking a site's administrator into performing an action, like clicking on a link.

Recommendations For versions up to, and including, 2.9.10, update to a version that includes nonce checks on AJAX actions to prevent Cross-Site Request Forgery attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.