CVE-2022-4936 MEDIUM

CVE-2022-4936: WCFM Marketplace <= 3.4.12 - Cross-Site Request Forgery

Vendor Wclovers
Product WCFM Marketplace – Multivendor Marketplace for WooCommerce
Weakness CWE-352 · CSRF
Published April 5, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

April 5, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-40925 WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials CVE-2021-25097 LabTools <= 1.0 - Subscriber+ Arbitrary Publication Deletion CVE-2022-4646 Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb CVE-2025-7690 Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting CVE-2024-28195 Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify