NEWS

WordPress Vulnerabilities Digest - November 2022 Part 3

Threat Alerts / November 16, 2022

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Core Dropping Support for WordPress Versions 3.7. – 4.0

In more WordPress core security news, the WordPress Security Team will no longer provide security updates for WordPress core versions 3.7 – 4.0. Please make sure all your WordPress sites are running the latest version.

WordPress Plugin Vulnerabilities

1. Broken Link Checker

PLUGIN Broken Link Checker PLUGIN SLUG broken-link-checker INSTALLATIONS 700,000+ VULNERABILITY Admin+ Cross-Site Scripting PATCHED IN VERSION 1.11.20 SEVERITY SCORE Low CVE 2022-3922

The vulnerability has been patched, so you should update to version 1.11.20.

2. Chaty

PLUGIN Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button – Chaty PLUGIN SLUG chaty INSTALLATIONS 100,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 3.0.3 SEVERITY SCORE Medium CVE 2022-3858

The vulnerability has been patched, so you should update to version 3.0.3.

3. Feed Them Social

PLUGIN Feed Them Social – for Twitter feed, Youtube and more PLUGIN SLUG feed-them-social INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Stored XSS; Settings Update via CSRF PATCHED IN VERSION 3.0.1 SEVERITY SCORE Medium CVE 2022-2940

The vulnerability has been patched, so you should update to version 3.0.1.

4. Blog2Social

PLUGIN Blog2Social: Social Media Auto Post & Scheduler PLUGIN SLUG blog2social INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Settings Update PATCHED IN VERSION 6.9.12 SEVERITY SCORE Medium CVE 2022-3622

The vulnerability has been patched, so you should update to version 6.9.12.

5. Advanced Import

PLUGIN Advanced Import : One Click Import for WordPress or Theme Demo Data PLUGIN SLUG advanced-import INSTALLATIONS 70,000+ VULNERABILITY Arbitrary Plugin Installation & Activation via CSRF PATCHED IN VERSION 1.3.8 SEVERITY SCORE High CVE 2022-3677

The vulnerability has been patched, so you should update to version 1.3.8.

6. TeraWallet – For WooCommerce

PLUGIN TeraWallet – For WooCommerce PLUGIN SLUG woo-wallet INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR PATCHED IN VERSION 1.4.4 SEVERITY SCORE Medium CVE 2022-3995

The vulnerability has been patched, so you should update to version 1.4.4.

7. Form Vibes

PLUGIN Form Vibes – Database Manager for Forms PLUGIN SLUG form-vibes INSTALLATIONS 20,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.4.6 SEVERITY SCORE Medium CVE 2022-3764

The vulnerability has been patched, so you should update to version 1.4.6.

8. Theme-Demo-Importer

PLUGIN Theme Demo Import PLUGIN SLUG theme-demo-import INSTALLATIONS 10,000+ VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION 1.1.1 SEVERITY SCORE Medium CVE 2022-1538

The vulnerability has been patched, so you should update to version 1.1.1.

9. Seed Social

PLUGIN Seed Social PLUGIN SLUG seed-social INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 2.0.4 SEVERITY SCORE Low CVE 2022-3836

The vulnerability has been patched, so you should update to version 2.0.4.

10. Salon Booking System

PLUGIN Salon booking system PLUGIN SLUG salon-booking-system INSTALLATIONS 8,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 7.9.4 SEVERITY SCORE Medium CVE 2022-43487

The vulnerability has been patched, so you should update to version 7.9.4.

11. WP OAuth Server

PLUGIN WP OAuth Server (OAuth Authentication) PLUGIN SLUG oauth2-provider INSTALLATIONS 4,000+ VULNERABILITY Admin+ Stored XSS; Client Secret Regeneration via CSRF PATCHED IN VERSION 4.2.2 SEVERITY SCORE Low CVE 2022-3892

The vulnerability has been patched, so you should update to version 4.2.2.

12. Export customers list CSV for WooCommerce

PLUGIN Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list PLUGIN SLUG export-woocommerce-customer-list INSTALLATIONS 3,000+ VULNERABILITY CSV Injection PATCHED IN VERSION 2.0.69 SEVERITY SCORE Low CVE 2022-3603

The vulnerability has been patched, so you should update to version 2.0.69.

13. Comic Book Management System

PLUGIN Comic Book Management System PLUGIN SLUG comicbookmanagementsystemweeklypicks INSTALLATIONS 10+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 2.2.0 SEVERITY SCORE Medium CVE 2022-3856

The vulnerability has been patched, so you should update to version 2.2.0.

14. WordPress Countdown Widget

PLUGIN WordPress Countdown Widget PLUGIN SLUG wordpress-countdown-widget VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 3.1.9.3 SEVERITY SCORE Low CVE 2022-2944

The vulnerability has been patched, so you should update to version 3.1.9.3.

15. WP Affiliate Platform

PLUGIN SLUG wp-affiliate-platform VULNERABILITY Affiliate Record Deletion via CSRF; Reflected Cross-Site Scripting; Admin+ Stored XSS PATCHED IN VERSION 6.4.0 SEVERITY SCORE Medium CVE 2022-3898

The vulnerability has been patched, so you should update to version 6.4.0.

16. Becustom

PLUGIN SLUG becustom VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 1.0.5.3 SEVERITY SCORE Medium CVE 2022-3747

The vulnerability has been patched, so you should update to version 1.0.5.3.

17. WP CSV Exporter

PLUGIN WP CSV Exporter PLUGIN SLUG wp-csv-exporter VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.3.7 SEVERITY SCORE Medium CVE 2022-3249

The vulnerability has been patched, so you should update to version 1.3.7.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

WPUpper Share Buttons

PLUGIN WPUpper Share Buttons PLUGIN SLUG wpupper-share-buttons VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3838