CVE-2022-4939 CRITICAL

CVE-2022-4939: WCFM Membership <= 2.10.0 - Unauthenticated Privilege Escalation

Vendor Wclovers
Product WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Weakness CWE-862 · Missing authorization
Published April 5, 2023
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can then register as an administrator.

Key dates

02Disclosure timeline

April 5, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE