Cross site request forgery (csrf)

2023-04-0518:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

plugin vulnerability

cross-site request forgery

ajax endpoints

nonce checks

unauthenticated attackers

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.5%

JSON

The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site’s administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.

CPENameOperatorVersion
frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatiblele6.5.13

CPE	Name	Operator	Version
	frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible	le	6.5.13

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2632630%40wc-frontend-manager&new=2632630%40wc-frontend-manager&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4d-8a96b388b314?source=cve