NEWS

WordPress Vulnerability Report – December 2022 Part 2

Threat Alerts / December 14, 2022

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

1. WP

VULNERABILITY Unauthenticated Blind SSRF via DNS Rebinding PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-3590

The vulnerability has not been patched.

This vulnerability was reported by Thomas Chauchefoin, and at this time, it affects all versions of WordPress. However, probable exploitation of this vulnerability is very low, and to fully protect yourself, all you’ll need to do is turn off XML-RPC or pingbacks on your WordPress site.

WordPress Plugin Vulnerabilities

1. White Label CMS

PLUGIN White Label CMS PLUGIN SLUG white-label-cms INSTALLATIONS 200,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 2.5 SEVERITY SCORE Low CVE 2022-4302

The vulnerability has been patched, so you should update to version 2.5.

2. iubenda

PLUGIN iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more PLUGIN SLUG iubenda-cookie-law-solution INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ Privileges Escalation to Admin PATCHED IN VERSION 3.3.3 SEVERITY SCORE High CVE 2022-3911

The vulnerability has been patched, so you should update to version 3.3.3.

3. Custom Field Template

PLUGIN Custom Field Template PLUGIN SLUG custom-field-template INSTALLATIONS 50,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 2.5.8 SEVERITY SCORE Low CVE 2022-4324

The vulnerability has been patched, so you should update to version 2.5.8.

4. Team Members

PLUGIN Team Members PLUGIN SLUG team-members INSTALLATIONS 40,000+ VULNERABILITY Editor+ Stored XSS PATCHED IN VERSION 5.2.1 SEVERITY SCORE Low CVE 2022-3936

The vulnerability has been patched, so you should update to version 5.2.1.

5. WP Custom Admin Interface

PLUGIN WP Custom Admin Interface PLUGIN SLUG wp-custom-admin-interface INSTALLATIONS 30,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 7.29 SEVERITY SCORE Medium CVE 2022-4043

The vulnerability has been patched, so you should update to version 7.29.

6. Image Hover Effects Ultimate

PLUGIN Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) PLUGIN SLUG image-hover-effects-ultimate INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 9.8.5 SEVERITY SCORE Low CVE 2022-4207

The vulnerability has been patched, so you should update to version 9.8.5.

7. WP-Ban

PLUGIN WP-Ban PLUGIN SLUG wp-ban INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.69.1 SEVERITY SCORE Low CVE 2022-4260

The vulnerability has been patched, so you should update to version 1.69.1.

8. All-in-One Addons for Elementor – WidgetKit

PLUGIN All-in-One Addons for Elementor – WidgetKit PLUGIN SLUG widgetkit-for-elementor INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 2.4.4 SEVERITY SCORE Low CVE 2022-4256

The vulnerability has been patched, so you should update to version 2.4.4.

9. Authenticator

PLUGIN Authenticator PLUGIN SLUG authenticator INSTALLATIONS 3,000+ VULNERABILITY Subscriber+ Denial of Service via Feed Token Disclosure PATCHED IN VERSION 1.3.1 SEVERITY SCORE Medium CVE 2022-3994

The vulnerability has been patched, so you should update to version 1.3.1.

10. BookingPres

PLUGIN BookingPress – Appointments Booking Calendar Plugin and Online Scheduling Plugin

PLUGIN SLUG bookingpress-appointment-booking INSTALLATIONS 3,000+ VULNERABILITY Unauthenticated IDOR in appointment_id PATCHED IN VERSION 1.0.31 SEVERITY SCORE High CVE 2022-4340

The vulnerability has been patched, so you should update to version 1.0.31.

11. WP Smart Import

PLUGIN WP Smart Import : Import any XML File to WordPress PLUGIN SLUG wp-smart-import INSTALLATIONS 2,000+ VULNERABILITY Reflected Cross-Ste Scripting PATCHED IN VERSION 1.0.3 SEVERITY SCORE Medium CVE 2022-40209

The vulnerability has been patched, so you should update to version 1.0.3.

12. Image Optimizer, Resizer and CDN

PLUGIN Image Optimizer, Resizer and CDN – Sirv PLUGIN SLUG sirv INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 6.8.1 SEVERITY SCORE Low CVE 2022-4119

The vulnerability has been patched, so you should update to version 6.8.1.

13. WordPress Filter Gallery Plugin

PLUGIN WordPress Filter Gallery Plugin PLUGIN SLUG filter-gallery INSTALLATIONS 1,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 0.1.6 SEVERITY SCORE Low CVE 2022-4142

The vulnerability has been patched, so you should update to version 0.1.6.

14. WP-Lister Lite for Amazon

PLUGIN WP-Lister Lite for Amazon PLUGIN SLUG wp-lister-for-amazon INSTALLATIONS 1,000+ VULNERABILITY Reflected XSS PATCHED IN VERSION 2.4.4 SEVERITY SCORE High CVE 2022-4369

The vulnerability has been patched, so you should update to version 2.4.4.

15. Joy Of Text Lite

PLUGIN Joy Of Text Lite – SMS messaging for WordPress. PLUGIN SLUG joy-of-text INSTALLATIONS 900+ VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION 2.3.1 SEVERITY SCORE High CVE 2022-4099

The vulnerability has been patched, so you should update to version 2.3.1.

16. Build App Online

PLUGIN Build App Online PLUGIN SLUG build-app-online INSTALLATIONS 900+ VULNERABILITY Unauthenticated SQL Injection PATCHED IN VERSION 1.0.19 SEVERITY SCORE High CVE 2022-3241

The vulnerability has been patched, so you should update to version 1.0.19.

17. Wholesale Market

PLUGIN Wholesale Market PLUGIN SLUG wholesale-market INSTALLATIONS 600+ VULNERABILITY Unauthenticated Arbitrary File Download PATCHED IN VERSION 2.2.1 SEVERITY SCORE High CVE 2022-4298

The vulnerability has been patched, so you should update to version 2.2.1.

18. Visual Email Designer for WooCommerce

PLUGIN Visual Email Designer for WooCommerce PLUGIN SLUG email-customizer-woocommerce INSTALLATIONS 100+ VULNERABILITY Multiple Author+ SQLi PATCHED IN VERSION 1.7.2 SEVERITY SCORE Medium CVE 2022-3860

The vulnerability has been patched, so you should update to version 1.7.2.

19. Login with Cognito

PLUGIN Login with Cognito PLUGIN SLUG login-with-cognito INSTALLATIONS 60+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.4.9 SEVERITY SCORE Low CVE 2022-4200

The vulnerability has been patched, so you should update to version 1.4.9.

20. YITH WooCommerce Gift Cards

PLUGIN YITH WooCommerce Gift Cards PLUGIN SLUG yith-woocommerce-gift-cards-premium VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION 3.20.0 SEVERITY SCORE Critical CVE 2022-45359

The vulnerability has been patched, so you should update to version 3.20.0.

21. WP Cerber

PLUGIN WP Cerber Security, Anti-spam & Malware Scan PLUGIN SLUG wp-cerber VULNERABILITY User Enumeration Bypass via Rest API PATCHED IN VERSION 9.3.3 SEVERITY SCORE Low CVE 2022-4417

The vulnerability has been patched, so you should update to version 9.3.3.

22. WPQA

PLUGIN WPQA Builder PLUGIN SLUG wpqa VULNERABILITY Missing validation lead to functionality abuse PATCHED IN VERSION 5.9.3 SEVERITY SCORE Low CVE 2022-3343

The vulnerability has been patched, so you should update to version 5.9.3.

23. Wholesale Market for WooCommerce

PLUGIN Wholesale Market for WooCommerce PLUGIN SLUG wholesale-market-for-woocommerce VULNERABILITY Admin+ Arbitrary Log Download PATCHED IN VERSION 2.0.0 SEVERITY SCORE Medium CVE 2022-4109

The vulnerability has been patched, so you should update to version 2.0.0.