NEWS
WordPress Vulnerabilities Digest - November 2022 Part 3
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
WordPress Core Vulnerabilities
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.
No new WordPress core vulnerabilities were disclosed this week.
WordPress Core Dropping Support for WordPress Versions 3.7. – 4.0
In more WordPress core security news, the WordPress Security Team will no longer provide security updates for WordPress core versions 3.7 – 4.0. Please make sure all your WordPress sites are running the latest version.
WordPress Plugin Vulnerabilities
1. Broken Link Checker
PLUGIN Broken Link Checker PLUGIN SLUG broken-link-checker INSTALLATIONS 700,000+ VULNERABILITY Admin+ Cross-Site Scripting PATCHED IN VERSION 1.11.20 SEVERITY SCORE Low CVE 2022-3922
The vulnerability has been patched, so you should update to version 1.11.20.
2. Chaty
PLUGIN Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button – Chaty PLUGIN SLUG chaty INSTALLATIONS 100,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 3.0.3 SEVERITY SCORE Medium CVE 2022-3858
The vulnerability has been patched, so you should update to version 3.0.3.
3. Feed Them Social
PLUGIN Feed Them Social – for Twitter feed, Youtube and more PLUGIN SLUG feed-them-social INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Stored XSS; Settings Update via CSRF PATCHED IN VERSION 3.0.1 SEVERITY SCORE Medium CVE 2022-2940
The vulnerability has been patched, so you should update to version 3.0.1.
4. Blog2Social
PLUGIN Blog2Social: Social Media Auto Post & Scheduler PLUGIN SLUG blog2social INSTALLATIONS 70,000+ VULNERABILITY Subscriber+ Settings Update PATCHED IN VERSION 6.9.12 SEVERITY SCORE Medium CVE 2022-3622
The vulnerability has been patched, so you should update to version 6.9.12.
5. Advanced Import
PLUGIN Advanced Import : One Click Import for WordPress or Theme Demo Data PLUGIN SLUG advanced-import INSTALLATIONS 70,000+ VULNERABILITY Arbitrary Plugin Installation & Activation via CSRF PATCHED IN VERSION 1.3.8 SEVERITY SCORE High CVE 2022-3677
The vulnerability has been patched, so you should update to version 1.3.8.
6. TeraWallet – For WooCommerce
PLUGIN TeraWallet – For WooCommerce PLUGIN SLUG woo-wallet INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR PATCHED IN VERSION 1.4.4 SEVERITY SCORE Medium CVE 2022-3995
The vulnerability has been patched, so you should update to version 1.4.4.
7. Form Vibes
PLUGIN Form Vibes – Database Manager for Forms PLUGIN SLUG form-vibes INSTALLATIONS 20,000+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.4.6 SEVERITY SCORE Medium CVE 2022-3764
The vulnerability has been patched, so you should update to version 1.4.6.
8. Theme-Demo-Importer
PLUGIN Theme Demo Import PLUGIN SLUG theme-demo-import INSTALLATIONS 10,000+ VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION 1.1.1 SEVERITY SCORE Medium CVE 2022-1538
The vulnerability has been patched, so you should update to version 1.1.1.
9. Seed Social
PLUGIN Seed Social PLUGIN SLUG seed-social INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 2.0.4 SEVERITY SCORE Low CVE 2022-3836
The vulnerability has been patched, so you should update to version 2.0.4.
10. Salon Booking System
PLUGIN Salon booking system PLUGIN SLUG salon-booking-system INSTALLATIONS 8,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 7.9.4 SEVERITY SCORE Medium CVE 2022-43487
The vulnerability has been patched, so you should update to version 7.9.4.
11. WP OAuth Server
PLUGIN WP OAuth Server (OAuth Authentication) PLUGIN SLUG oauth2-provider INSTALLATIONS 4,000+ VULNERABILITY Admin+ Stored XSS; Client Secret Regeneration via CSRF PATCHED IN VERSION 4.2.2 SEVERITY SCORE Low CVE 2022-3892
The vulnerability has been patched, so you should update to version 4.2.2.
12. Export customers list CSV for WooCommerce
PLUGIN Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list PLUGIN SLUG export-woocommerce-customer-list INSTALLATIONS 3,000+ VULNERABILITY CSV Injection PATCHED IN VERSION 2.0.69 SEVERITY SCORE Low CVE 2022-3603
The vulnerability has been patched, so you should update to version 2.0.69.
13. Comic Book Management System
PLUGIN Comic Book Management System PLUGIN SLUG comicbookmanagementsystemweeklypicks INSTALLATIONS 10+ VULNERABILITY Admin+ SQLi PATCHED IN VERSION 2.2.0 SEVERITY SCORE Medium CVE 2022-3856
The vulnerability has been patched, so you should update to version 2.2.0.
14. WordPress Countdown Widget
PLUGIN WordPress Countdown Widget PLUGIN SLUG wordpress-countdown-widget VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 3.1.9.3 SEVERITY SCORE Low CVE 2022-2944
The vulnerability has been patched, so you should update to version 3.1.9.3.
15. WP Affiliate Platform
PLUGIN SLUG wp-affiliate-platform VULNERABILITY Affiliate Record Deletion via CSRF; Reflected Cross-Site Scripting; Admin+ Stored XSS PATCHED IN VERSION 6.4.0 SEVERITY SCORE Medium CVE 2022-3898
The vulnerability has been patched, so you should update to version 6.4.0.
16. Becustom
PLUGIN SLUG becustom VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 1.0.5.3 SEVERITY SCORE Medium CVE 2022-3747
The vulnerability has been patched, so you should update to version 1.0.5.3.
17. WP CSV Exporter
PLUGIN WP CSV Exporter PLUGIN SLUG wp-csv-exporter VULNERABILITY Admin+ SQLi PATCHED IN VERSION 1.3.7 SEVERITY SCORE Medium CVE 2022-3249
The vulnerability has been patched, so you should update to version 1.3.7.
WordPress Plugin Vulnerabilities – No Known Fix
Until a patch is available, immediately uninstall and delete the plugin.
WPUpper Share Buttons
PLUGIN WPUpper Share Buttons PLUGIN SLUG wpupper-share-buttons VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3838
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Helloprint
PLUGIN Plug your WooCommerce into the largest catalog of customized print products from Helloprint PLUGIN SLUG helloprint VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-3908
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Advanced WP Columns
PLUGIN Advanced WP Columns PLUGIN SLUG advanced-wp-columns VULNERABILITY Admin+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3426
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Follow Me Plugin
PLUGIN Follow Me Plugin PLUGIN SLUG follow-me VULNERABILITY Stored XSS via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-3240
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Simple Video Embedder
PLUGIN Simple Video Embedder PLUGIN SLUG simple-video-embedder VULNERABILITY Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-44590
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Transposh WordPress Translation
PLUGIN Transposh WordPress Translation PLUGIN SLUG transposh-translation-filter-for-wordpress VULNERABILITY Settings Update via Authorization Bypass PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-2536
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WP Page Builder
PLUGIN WP Page Builder PLUGIN SLUG wp-pagebuilder VULNERABILITY Admin+ Stored Cross-Site PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3830
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Uji Countdown
PLUGIN Uji Countdown PLUGIN SLUG uji-countdown VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3837
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Add Comments
PLUGIN Add Comments PLUGIN SLUG add-comments VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3909
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
3DPrint
PLUGIN 3DPrint PLUGIN SLUG 3dprint VULNERABILITY Arbitrary File and Directory Deletion via CSRF PATCHED IN VERSION No Fix SEVERITY SCORE High CVE 2022-3899
The vulnerability has not been patched. You should deactivate the plugin.
Clerk
PLUGIN Clerk PLUGIN SLUG clerkio VULNERABILITY Authentication Bypass and API Keys Disclosure PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3907
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Photospace Gallery
PLUGIN Photospace Gallery PLUGIN SLUG photospace VULNERABILITY Subscriber+ Stored Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-3991
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
PostmagThemes Demo
PLUGIN PostmagThemes Demo Import PLUGIN SLUG postmagthemes-demo-import VULNERABILITY Admin+ Arbitrary File Upload PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-1540
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
1. Workreap – Freelance Marketplace and Directory
THEME Workreap THEME SLUG workreap VULNERABILITY Subscriber+ Private Message Disclosure via IDOR PATCHED IN VERSION 2.6.3 SEVERITY SCORE Medium CVE 2022-3846
The vulnerability has been patched, so you should update to version 2.6.3.
If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!
The information for this blog post was taken from iThemes Vulnerability Roundup
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!