CVE-2022-4936: 
WordPress vulnerability analysis and mitigation

The WCFM Marketplace plugin for WordPress (versions up to and including 3.4.11) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2022-4936. The vulnerability was discovered and disclosed with a CVSS v3.1 base score of 8.8 (HIGH) according to NVD's assessment, while Wordfence rated it at 6.3 (MEDIUM) (NVD).

The vulnerability stems from missing nonce checks on various AJAX actions in the WCFM Marketplace plugin. This security flaw allows unauthenticated attackers to perform unauthorized actions through forged requests. The vulnerability has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H by NVD, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

If successfully exploited, the vulnerability enables attackers to perform a wide range of unauthorized actions including modification of shipping method details, product modifications, and deletion of arbitrary posts. The impact is significant as it affects core functionality of the e-commerce platform, potentially compromising the integrity of the marketplace (NVD).

The vulnerability has been patched in version 3.4.12 of the WCFM Marketplace plugin. Users are advised to update to this version or later to protect against potential CSRF attacks (NVD).