NEWS

WordPress Vulnerability Report – December 2022 Part 1

Threat Alerts / December 07, 2022

It's important to update to the latest version of WordPress as soon as possible, and version 6.1.1 was released on November 15, 2022 to address 29 bugs in Core and 21 bugs in the block editor. This is a maintenance release, so be sure to update to WordPress 6.1.1 as soon as possible.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. Autoptimize

PLUGIN Autoptimize PLUGIN SLUG autoptimize INSTALLATIONS 1,000,000+ VULNERABILITY Sensitive Data Disclosure PATCHED IN VERSION 3.1.0 SEVERITY SCORE Medium CVE 2022-4057

The vulnerability has been patched, so you should update to version 3.1.0.

2. Easy WP SMTP

PLUGIN Easy WP SMTP PLUGIN SLUG easy-wp-smtp INSTALLATIONS 600,000+ VULNERABILITY Admin+ Arbitrary File Deletion; Admin+ Arbitrary File Access PATCHED IN VERSION 1.5.2 SEVERITY SCORE Medium CVE 2022-45829

The vulnerability has been patched, so you should update to version 1.5.2.

3. Custom Product Tabs for WooCommerce

PLUGIN Custom Product Tabs for WooCommerce PLUGIN SLUG yikes-inc-easy-custom-woocommerce-product-tabs INSTALLATIONS 100,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.8.0 SEVERITY SCORE Low CVE 2022-43463

The vulnerability has been patched, so you should update to version 1.8.0.

4. Booster for WooCommerce

PLUGIN Booster for WooCommerce PLUGIN SLUG woocommerce-jetpack INSTALLATIONS 70,000+ VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 5.6.3 SEVERITY SCORE High CVE 2022-4227

The vulnerability has been patched, so you should update to version 5.6.3.

5. Stop Spammers Security

PLUGIN Stop Spammers Security | Block Spam Users, Comments, Forms PLUGIN SLUG stop-spammer-registrations-plugin INSTALLATIONS 60,000+ VULNERABILITY Unauthenticated PHP Object Injection PATCHED IN VERSION 2022.6 SEVERITY SCORE Medium CVE 2022-4120

The vulnerability has been patched, so you should update to version 2022.6.

6. Quiz and Survey Master

PLUGIN Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
PLUGIN SLUG quiz-master-next INSTALLATIONS 40,000+ VULNERABILITY Unauthenticated iFrame Injection; Improper Input Validation PATCHED IN VERSION 8.0.5 SEVERITY SCORE High CVE 2022-4032

The vulnerability has been patched, so you should update to version 8.0.5.

7. Sliderby10Web

Sliderby10Web PLUGIN Sliderby10Web PLUGIN SLUG slider-wd INSTALLATIONS 30,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.2.53 SEVERITY SCORE Low CVE 2022-4197

The vulnerability has been patched, so you should update to version 1.2.53.

8. Appointment Hour Booking

PLUGIN Appointment Hour Booking – WordPress Booking Plugin PLUGIN SLUG appointment-hour-booking INSTALLATIONS 30,000+ VULNERABILITY Unauthenticated iFrame Injection; CSV Injection; CAPTCHA Bypass PATCHED IN VERSION 1.3.73 SEVERITY SCORE High CVE 2022-4035

The vulnerability has been patched, so you should update to version 1.3.73.

9. WP Google Review Slider

PLUGIN WP Google Review Slider
PLUGIN SLUG wp-google-places-review-slider INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 11.6 SEVERITY SCORE Low CVE 2022-4242

The vulnerability has been patched, so you should update to version 11.6.

10. Google Apps Login

PLUGIN Login for Google Apps PLUGIN SLUG google-apps-login INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 3.4.5 SEVERITY SCORE Low CVE 2022-3840

The vulnerability has been patched, so you should update to version 3.4.5.

11. Welcart e-Commerce

PLUGIN Welcart e-Commerce PLUGIN SLUG usc-e-shop INSTALLATIONS 20,000+ VULNERABILITY Subscriber+ PHAR Deserialisation; Unauthenticated Arbitrary File Access; Subscriber+ Arbitrary File Access PATCHED IN VERSION 2.8.6 SEVERITY SCORE High CVE 2022-4237

The vulnerability has been patched, so you should update to version 2.8.6.

12. GD bbPress Attachments

PLUGIN GD bbPress Attachments PLUGIN SLUG gd-bbpress-attachments INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 4.4 SEVERITY SCORE Low CVE 2022-45816

The vulnerability has been patched, so you should update to version 4.4.

13. Simple Basic Contact Form

PLUGIN Simple Basic Contact Form PLUGIN SLUG simple-basic-contact-form INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 20221201 SEVERITY SCORE Low CVE 2022-4226

The vulnerability has been patched, so you should update to version 20221201.

14. WP-Ban

PLUGIN WP-Ban PLUGIN SLUG wp-ban INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.69.1 SEVERITY SCORE Low CVE 2022-4260

The vulnerability has been patched, so you should update to version 1.69.1.

15. All-in-One Addons for Elementor – WidgetKit

PLUGIN All-in-One Addons for Elementor – WidgetKit PLUGIN SLUG widgetkit-for-elementor INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 2.4.4 SEVERITY SCORE Low CVE 2022-4256

The vulnerability has been patched, so you should update to version 2.4.4.

16. Advanced Coupons for WooCommerce Coupons

PLUGIN Advanced Coupons – Better WooCommerce Coupons, Store Credit, Gift Cards, Loyalty Program & More PLUGIN SLUG advanced-coupons-for-woocommerce-free INSTALLATIONS 10,000+ VULNERABILITY Notice Dismiss via CSRF PATCHED IN VERSION 4.5.0.1 SEVERITY SCORE Medium CVE 2022-43481

The vulnerability has been patched, so you should update to version 4.5.0.1.

17. Kwayy HTML Sitemap

PLUGIN Kwayy HTML Sitemap PLUGIN SLUG kwayy-html-sitemap INSTALLATIONS 7,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 4.0 SEVERITY SCORE Low CVE 2022-3835

The vulnerability has been patched, so you should update to version 4.0.

18. Return Refund and Exchange For WooCommerce

PLUGIN Return Refund and Exchange For WooCommerce – Create A Simple Warranty Management System RMA with Exchange, Wallet & Cancel Order Features PLUGIN SLUG woo-refund-and-exchange-lite INSTALLATIONS 4,000+ VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 4.0.9 SEVERITY SCORE Critical CVE 2022-4047

The vulnerability has been patched, so you should update to version 4.0.9

19. WP Smart Import

PLUGIN WP Smart Import : Import any XML File to WordPress PLUGIN SLUG wp-smart-import INSTALLATIONS 2,000+ VULNERABILITY Reflected Cross-Ste Scripting PATCHED IN VERSION 1.0.3 SEVERITY SCORE Medium CVE 2022-40209

The vulnerability has been patched, so you should update to version 1.0.3.

20. Chained Quiz

PLUGIN Chained Quiz PLUGIN SLUG chained-quiz INSTALLATIONS 2,000+ VULNERABILITY Admin+ Stored XSS; Multiple Reflected Cross-Site Scripting; Arbitrary Question Deletion via CSRF; Reflected Cross-Site Scripting; Submitted Quiz Response Deletion via CSRF; Arbitrary Quiz Deletion & Copying via CSRF PATCHED IN VERSION 1.3.2.5 SEVERITY SCORE Medium CVE 2022-4220

The vulnerability has been patched, so you should update to version 1.3.2.5.

21. WordPress Filter Gallery Plugin

PLUGIN WordPress Filter Gallery Plugin PLUGIN SLUG filter-gallery INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 0.1.6 SEVERITY SCORE Low CVE 2022-4142

The vulnerability has been patched, so you should update to version 0.1.6.

22. Contest Gallery

PLUGIN Contest Gallery – Files Upload and Contest Plugin for WordPress
PLUGIN SLUG contest-gallery INSTALLATIONS 1,000+ VULNERABILITY Author+ SQL Injection; Unauthenticated SQL Injection PATCHED IN VERSION 19.1.5.1 SEVERITY SCORE High CVE 2022-4156

The vulnerability has been patched, so you should update to version 19.1.5.1.

23. Simple:Press

PLUGIN Simple:Press – WordPress Forum Plugin PLUGIN SLUG simplepress INSTALLATIONS 600+ VULNERABILITY Admin+ Arbitrary File Update; Subscriber+ Arbitrary File Deletion; Unauthenticated Stored XSS via Forum Replies; Subscriber+ Stored XSS via Profile Signatures PATCHED IN VERSION 6.8.1 SEVERITY SCORE Low CVE 2022-4031

The vulnerability has been patched, so you should update to version 6.8.1.

24. ARMember

PLUGIN ARMember – Complete Membership Plugin PLUGIN SLUG armember VULNERABILITY Unauthenticated Privilege Escalation PATCHED IN VERSION 5.6 SEVERITY SCORE Critical CVE 2022-42888

The vulnerability has been patched, so you should update to version 5.6.

25. WP CSV Exporter

PLUGIN WP CSV Exporter PLUGIN SLUG wp-csv-exporter VULNERABILITY CSV Injection PATCHED IN VERSION 1.3.7 SEVERITY SCORE Low CVE 2022-3605

The vulnerability has been patched, so you should update to version 1.3.7.

26. Booster for WooCommerce

PLUGIN Booster Plus for WooCommerce PLUGIN SLUG booster-plus-for-woocommerce VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 6.0.0 SEVERITY SCORE High CVE 2022-4227

The vulnerability has been patched, so you should update to version 6.0.0.

27. Contest Gallery Pro

PLUGIN Contest Gallery Pro PLUGIN SLUG contest-gallery-pro VULNERABILITY Admin+ SQL Injection PATCHED IN VERSION 19.1.5 SEVERITY SCORE Medium CVE 2022-4154

The vulnerability has been patched, so you should update to version 19.1.5.

28. Booster for WooCommerce

PLUGIN Booster Elite for WooCommerce PLUGIN SLUG booster-elite-for-woocommerce VULNERABILITY Reflected Cross-Site Scripting PATCHED IN VERSION 6.0.0 SEVERITY SCORE High CVE 2022-4227

The vulnerability has been patched, so you should update to version 6.0.0.

29. WooCommerce Gift Cards Premium

PLUGIN YITH WooCommerce Gift Cards PLUGIN SLUG yith-woocommerce-gift-cards-premium VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 3.20.0 SEVERITY SCORE Critical CVE 2022-45359

The vulnerability has been patched, so you should update to version 3.20.0.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Paytium

PLUGIN Paytium: Mollie payment forms & donations PLUGIN SLUG paytium VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-4042