cleantalk
Vulnerabilities and Security Researches

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible, CVE-2022-4938

CVE, Research URL

CVE-2022-4938

Home page URL

Security reports for WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Application

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Published on
Apr 05, 2023
Research Description
The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.
Affected versions
Min -, max 6.6.0.
Status
vulnerable
Previous vulnerability researches
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2025-3780) , Jul 12, 2025
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2022-4938) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2022-4937) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2024-29929) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2021-24835) , Jun 06, 2024
New vulnerability
WP Register Profile With Shortcode (CVE-2025-4593) , Jul 13, 2025
Simple File List (CVE-2025-34085) , Jul 13, 2025
Pakke Envíos (CVE-2025-52819) , Jul 13, 2025
Gwolle Guestbook (CVE-2025-5807) , Jul 13, 2025
Tennis Court Bookings (CVE-2025-52787) , Jul 13, 2025