NEWS

WordPress Vulnerabilities Digest - November 2022 Part 4

Threat Alerts / November 23, 2022

This week, no vulnerabilities were revealed in the WordPress core. Be sure to update to WordPress 6.0.1 as soon as possible!

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.0.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Core Dropping Support for WordPress Versions 3.7. – 4.0

In more WordPress core security news, the WordPress Security Team will no longer provide security updates for WordPress core versions 3.7 – 4.0. Please make sure all your WordPress sites are running the latest version.

WordPress Plugin Vulnerabilities

1. All-In-One Security

PLUGIN All-In-One Security (AIOS) – Security and Firewall PLUGIN SLUG all-in-one-wp-security-and-firewall INSTALLATIONS 1,000,000+ VULNERABILITY IP Spoofing; Bulk Actions via CSRF PATCHED IN VERSION 5.1.1 SEVERITY SCORE Medium CVE 2022-44737

The vulnerability has been patched, so you should update to version 5.1.1.

2. SVG Support

PLUGIN SVG Support PLUGIN SLUG svg-support INSTALLATIONS 1,000,000+ VULNERABILITY Author+ Stored XSS PATCHED IN VERSION 2.5.2 SEVERITY SCORE Medium CVE 2022-4022

The vulnerability has been patched, so you should update to version 2.5.2.

3. WordPress Popular Posts

PLUGIN WordPress Popular Posts PLUGIN SLUG wordpress-popular-posts INSTALLATIONS 200,000+ VULNERABILITY Unauthenticated Views Manipulation PATCHED IN VERSION 6.1.0 SEVERITY SCORE Medium CVE 2022-43468

The vulnerability has been patched, so you should update to version 6.1.0.

4. Plugin for Google Reviews

PLUGIN Plugin for Google Reviews PLUGIN SLUG widget-google-reviews INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ Widget Creation PATCHED IN VERSION 2.2.3 SEVERITY SCORE Medium CVE 2022-45369

The vulnerability has been patched, so you should update to version 2.2.3.

5. Icegram Express

PLUGIN Icegram Express – Email Subscribers, Newsletters and Marketing Automation Plugin PLUGIN SLUG email-subscribers INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ SQLi PATCHED IN VERSION 5.5.0 SEVERITY SCORE High CVE 2022-3981

The vulnerability has been patched, so you should update to version 5.5.0.

6. Crowdsignal Dashboard

PLUGIN Crowdsignal Dashboard – Polls, Surveys & more PLUGIN SLUG polldaddy INSTALLATIONS 90,000+ VULNERABILITY Contributor+ Rating Settings Update PATCHED IN VERSION 3.0.10 SEVERITY SCORE Medium CVE 2022-45069

The vulnerability has been patched, so you should update to version 3.0.10.

7. Livemesh Addons for Elementor

PLUGIN Livemesh Addons for Elementor PLUGIN SLUG addons-for-elementor INSTALLATIONS 90,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 7.2.4 SEVERITY SCORE Low CVE 2022-3862

The vulnerability has been patched, so you should update to version 7.2.4.

8. Booster for WooCommerce

PLUGIN Booster for WooCommerce PLUGIN SLUG woocommerce-jetpack INSTALLATIONS 70,000+ VULNERABILITY Custom Role Creation/Deletion via CSRF PATCHED IN VERSION 5.6.7 SEVERITY SCORE Medium CVE 2022-4016

The vulnerability has been patched, so you should update to version 5.6.7.

9. User Registration

PLUGIN User Registration – Custom Registration Form, Login Form And User Profile For WordPress PLUGIN SLUG user-registration INSTALLATIONS 60,000+ VULNERABILITY Subscriber+ Arbitrary File Upload PATCHED IN VERSION 2.2.4.1 SEVERITY SCORE Critical CVE2022-3912

The vulnerability has been patched, so you should update to version 2.2.4.1.

10. Permalink Manager Lite

PLUGIN Permalink Manager Lite PLUGIN SLUG permalink-manager INSTALLATIONS 60,000+ VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 2.2.20.2 SEVERITY SCORE Medium CVE 2022-4021

The vulnerability has been patched, so you should update to version 2.2.20.2.

11. Dokan

PLUGIN Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy PLUGIN SLUG dokan-lite INSTALLATIONS 60,000+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 3.7.6 SEVERITY SCORE High CVE 2022-3915

The vulnerability has been patched, so you should update to version 3.7.6.

12. Easy Video Player

PLUGIN Easy Video Player PLUGIN SLUG easy-video-player INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.2.2.3 SEVERITY SCORE Medium CVE 2022-3937

The vulnerability has been patched, so you should update to version 1.2.2.3.

13. Jetpack CRM

PLUGIN Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation PLUGIN SLUG zero-bs-crm INSTALLATIONS 30,000+ VULNERABILITY Admin+ Cross-Site Scripting PATCHED IN VERSION 5.4.3 SEVERITY SCORE Low CVE 2022-3919

The vulnerability has been patched, so you should update to version 5.4.3.

14. wpForo Forum

PLUGIN wpForo Forum PLUGIN SLUG wpforo INSTALLATIONS 20,000+ VULNERABILITY Arbitrary User Deletion via CSRF PATCHED IN VERSION 2.1.0 SEVERITY SCORE High CVE 2022-40192

The vulnerability has been patched, so you should update to version 2.1.0.

15. Ezoic

PLUGIN Ezoic PLUGIN SLUG ezoic-integration INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored XSS; Unauthenticated Settings Update to Stored XSS PATCHED IN VERSION 2.8.9 SEVERITY SCORE Low CVE 2022-41315

The vulnerability has been patched, so you should update to version 2.8.9.

16. Welcart e-Commerce

PLUGIN Welcart e-Commerce PLUGIN SLUG usc-e-shop INSTALLATIONS 20,000+ VULNERABILITY Multiple Subscriber+ Stored Cross-Site Scripting; Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion PATCHED IN VERSION 2.8.4 SEVERITY SCORE Medium CVE 2022-3935

The vulnerability has been patched, so you should update to version 2.8.4.

17. StopBadBots

PLUGIN Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection PLUGIN SLUG stopbadbots INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation PATCHED IN VERSION 7.24 SEVERITY SCORE High CVE 2022-3883

The vulnerability has been patched, so you should update to version 7.24.

18. Directorist

PLUGIN Directorist – WordPress Business Directory Plugin with Classified Ads Listings PLUGIN SLUG directorist INSTALLATIONS 10,000+ VULNERABILITY Subscriber+ Arbitrary User Password Update via IDOR PATCHED IN VERSION 7.4.2.2 SEVERITY SCORE High CVE 2022-3930

The vulnerability has been patched, so you should update to version 7.4.2.2.

19. Videojs HTML5 Player

PLUGIN Videojs HTML5 Player PLUGIN SLUG videojs-html5-player INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.1.9 SEVERITY SCORE Medium CVE 2022-3985

The vulnerability has been patched, so you should update to version 1.1.9.

20. Motors

PLUGIN Motors – Car Dealer, Classifieds & Listing PLUGIN SLUG motors-car-dealership-classified-listings INSTALLATIONS 9,000+ VULNERABILITY Arbitrary File Upload PATCHED IN VERSION 1.4.4 SEVERITY SCORE Critical CVE 2022-3989

The vulnerability has been patched, so you should update to version 1.4.4.

21. Booking Calendar

PLUGIN Booking calendar, Appointment Booking System PLUGIN SLUG booking-calendar INSTALLATIONS 5,000+ VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 3.2.2 SEVERITY SCORE Critical CVE 2022-3982

The vulnerability has been patched, so you should update to version 3.2.2.

22. News Announcement Scroll

PLUGIN News Announcement Scroll PLUGIN SLUG news-announcement-scroll INSTALLATIONS 5,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 9.0.0 SEVERITY SCORE Low CVE 2022-40694

The vulnerability has been patched, so you should update to version 9.0.0.

23. WP Stripe Checkout

PLUGIN WP Stripe Checkout PLUGIN SLUG wp-stripe-checkout INSTALLATIONS 4,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.2.2.21 SEVERITY SCORE Medium CVE 2022-3986

The vulnerability has been patched, so you should update to version 1.2.2.21.

24. Export Users With Meta

PLUGIN Export Users With Meta PLUGIN SLUG user-export-with-their-meta-data INSTALLATIONS 3,000+ VULNERABILITY Subscriber+ CSV Injection PATCHED IN VERSION 0.6.10 SEVERITY SCORE Low CVE 2022-44577

The vulnerability has been patched, so you should update to version 0.6.10.

25. Flowplayer Video Player

PLUGIN Flowplayer Video Player PLUGIN SLUG flowplayer6-video-player INSTALLATIONS 2,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.0.5 SEVERITY SCORE Medium CVE 2022-3984

The vulnerability has been patched, so you should update to version 1.0.5.

26. Car Dealer

PLUGIN Car Dealer (Dealership) and Vehicle sales WordPress Plugin PLUGIN SLUG cardealer INSTALLATIONS 1,000+ VULNERABILITY Subscriber+ Arbitrary Plugin Installation PATCHED IN VERSION 3.05 SEVERITY SCORE High CVE 2022-3879

The vulnerability has been patched, so you should update to version 3.05.

27. Checkout for PayPal

PLUGIN Checkout for PayPal PLUGIN SLUG checkout-for-paypal INSTALLATIONS 1,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.0.14 SEVERITY SCORE Medium CVE 2022-3983

The vulnerability has been patched, so you should update to version 1.0.14.

28. Anthologize

PLUGIN Anthologize PLUGIN SLUG anthologize INSTALLATIONS 900+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 0.8.1 SEVERITY SCORE Low CVE 2022-44591

The vulnerability has been patched, so you should update to version 0.8.1.

29. Chameleon

PLUGIN Chameleon PLUGIN SLUG chameleon INSTALLATIONS 500+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.4.4 SEVERITY SCORE Low CVE 2022-44736

The vulnerability has been patched, so you should update to version 1.4.4.

30. Responsive Lightbox2

PLUGIN Responsive Lightbox2 PLUGIN SLUG responsive-lightbox2 INSTALLATIONS 400+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.0.4 SEVERITY SCORE Medium CVE 2022-3987

The vulnerability has been patched, so you should update to version 1.0.4.

31. Easy Form Builder

PLUGIN Easy Form Builder PLUGIN SLUG easy-form-builder INSTALLATIONS 300+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 3.4.0 SEVERITY SCORE Low CVE 2022-3906

The vulnerability has been patched, so you should update to version 3.4.0.

32. Booster Elite for WooCommerce

PLUGIN Booster Elite for WooCommerce PLUGIN SLUG booster-elite-for-woocommerce VULNERABILITY Custom Role Creation/Deletion via CSRF PATCHED IN VERSION 1.1.8 SEVERITY SCORE Medium CVE 2022-4016

The vulnerability has been patched, so you should update to version 1.1.8.

33. Booster Plus for WooCommerce

PLUGIN Booster Plus for WooCommerce PLUGIN SLUG booster-plus-for-woocommerce VULNERABILITY Custom Role Creation/Deletion via CSRF PATCHED IN VERSION 5.6.6 SEVERITY SCORE Medium CVE 2022-4016

The vulnerability has been patched, so you should update to version 5.6.6.

34. Cooked Pro

PLUGIN Cooked Pro PLUGIN SLUG cooked-pro VULNERABILITY Unauthenticated PHP Object Injection PATCHED IN VERSION 1.7.5.7 SEVERITY SCORE High CVE 2022-3900

The vulnerability has been patched, so you should update to version 1.7.5.7.

35. SMSA Shipping for WooCommerce

PLUGIN SMSA Shipping for WooCommerce PLUGIN SLUG smsa-shipping-for-woocommerce VULNERABILITY Subscriber+ Arbitrary File Download PATCHED IN VERSION 1.0.5 SEVERITY SCORE High CVE 2022-4107

The vulnerability has been patched, so you should update to version 1.0.5.

36. AntiHacker

PLUGIN Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan PLUGIN SLUG antihacker VULNERABILITY Subscriber+ Arbitrary Plugin Installation PATCHED IN VERSION 4.20 SEVERITY SCORE High CVE 2022-3880

The vulnerability has been patched, so you should update to version 4.20.

37. WooCommerce Shipping – DPD baltic

PLUGIN WooCommerce Shipping – DPD baltic PLUGIN SLUG woo-shipping-dpd-baltic VULNERABILITY Admin+ Stored XSS; Subscriber+ Arbitrary Options Deletion PATCHED IN VERSION 1.2.11 SEVERITY SCORE Medium CVE 2022-4000

The vulnerability has been patched, so you should update to version 1.2.11.

38. WP Memory

PLUGIN Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin PLUGIN SLUG wp-memory VULNERABILITY Subscriber+ Arbitrary Plugin Installation PATCHED IN VERSION 2.46 SEVERITY SCORE High CVE 2022-3882

The vulnerability has been patched, so you should update to version 2.46.

39. WPTools

PLUGIN WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log PLUGIN SLUG wptools VULNERABILITY Subscriber+ Arbitrary Plugin Installation PATCHED IN VERSION 3.43 SEVERITY SCORE High CVE 2022-3881

The vulnerability has been patched, so you should update to version 3.43.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Ultimate Tables

PLUGIN ULTIMATE TABLES PLUGIN SLUG ultimate-tables VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-36357