cleantalk
Vulnerabilities and Security Researches

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce, CVE-2022-4935

CVE, Research URL

CVE-2022-4935

Home page URL

Security reports for WCFM Marketplace – Best Multivendor Marketplace for WooCommerce

Application

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce

Published on
Apr 05, 2023
Research Description
The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor_store_online AJAX action).
Affected versions
max 3.4.12.
Status
vulnerable
Previous vulnerability researches
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2024-44009) , Sep 19, 2024
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2026-1722) , Apr 15, 2026
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2022-4936) , Jun 07, 2024
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2022-4935) , Jun 07, 2024
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2021-24849) , Jun 07, 2024
New vulnerability
VI: Include Post By (CVE-2026-5717) , Apr 17, 2026
Responsive Accordion Slider (CVE-2026-0635) , Apr 17, 2026
Petje.af (CVE-2026-4002) , Apr 17, 2026
LinkedIn SC (CVE-2026-0812) , Apr 17, 2026
Coachific Shortcode (CVE-2026-4005) , Apr 17, 2026