The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and more, via a forged request granted they can trick a sites administrator into performing an action such as clicking on a link.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Wcfm_marketplace | Wclovers | * | 3.4.12 (excluding) |