CVE-2022-4935 HIGH

CVE-2022-4935: WCFM Marketplace <= 3.4.11 - Missing Authorization

Vendor Wclovers
Product WCFM Marketplace – Multivendor Marketplace for WooCommerce
Weakness CWE-89 · SQLi
Published April 5, 2023
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor_store_online AJAX action).

Key dates

02Disclosure timeline

April 5, 2023 CVE published
April 8, 2026 Record updated