cleantalk
Vulnerabilities and Security Researches

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible, CVE-2022-4937

CVE, Research URL

CVE-2022-4937

Home page URL

Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Application

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Published on
Apr 05, 2023
Research Description
The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more. There were hundreds of AJAX endpoints affected.
Affected versions
Min -, max 6.6.1.
Status
vulnerable
Previous vulnerability researches
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2025-3780) , Jul 12, 2025
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2022-4938) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2022-4937) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2024-29929) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2021-24835) , Jun 06, 2024
New vulnerability
WP Register Profile With Shortcode (CVE-2025-4593) , Jul 13, 2025
Simple File List (CVE-2025-34085) , Jul 13, 2025
Pakke Envíos (CVE-2025-52819) , Jul 13, 2025
Gwolle Guestbook (CVE-2025-5807) , Jul 13, 2025
Tennis Court Bookings (CVE-2025-52787) , Jul 13, 2025