CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4940 – WCFM Membership <= 2.10.0 - Missing Authorization
https://notcve.org/view.php?id=CVE-2022-4940
05 Apr 2023 — The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2605020%40wc-multivendor-membership&new=2605020%40wc-multivendor-membership&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2021-24849 – WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24849
22 Nov 2021 — The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections La acción wcfm_ajax_controller AJAX del plugin WCFM Marketplace para WordPress versiones anteriores a 3.4.12, disponible para usuarios autenticados y no autenticados, no sanea correctamente múltiples parámetros antes de usarlos en sentencias SQL, conllevan... • https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24835 – WCFM - Frontend Manager for WooCommerce < 6.5.12 - Customer/Subscriber+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24835
11 Oct 2021 — The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks El plugin WCFM - Frontend Manager for WooCommerce junto con Bookings Subscription Listing... • https://wpscan.com/vulnerability/c493ac9c-67d1-48a9-be21-824b1a1d56c2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •