NEWS

WordPress Vulnerability Report – December 2022 Part 3

Threat Alerts / December 21, 2022
WordPress Plugin Vulnerabilities this week: Table of Contents Plus, Download Manager, Smash Balloon Social Post Feed, Mesmerize Companion, etc.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

1. WP

VULNERABILITY Unauthenticated Blind SSRF via DNS Rebinding PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-3590 

The vulnerability has not been patched.

This vulnerability was reported by Thomas Chauchefoin, and at this time, it affects all versions of WordPress. However, probable exploitation of this vulnerability is very low, and to fully protect yourself, all you’ll need to do is turn off XML-RPC or pingbacks on your WordPress site.

WordPress Plugin Vulnerabilities

1. Table of Contents Plus

PLUGIN Table of Contents Plus PLUGIN SLUG table-of-contents-plus INSTALLATIONS 300,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2212 SEVERITY SCORE High CVE 2022-4479 

The vulnerability has been patched, so you should update to version 2212.

2. Download Manager

PLUGIN Download Manager PLUGIN SLUG download-manager INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.2.62 SEVERITY SCORE High CVE 2022-4476 

The vulnerability has been patched, so you should update to version 3.2.62.

3. Smash Balloon Social Post Feed

PLUGIN Smash Balloon Social Post Feed PLUGIN SLUG custom-facebook-feed INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.1.6 SEVERITY SCORE High CVE 2022-4477 

The vulnerability has been patched, so you should update to version 4.1.6.

4. Mesmerize Companion

PLUGIN Mesmerize Companion PLUGIN SLUG mesmerize-companion INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.6.135 SEVERITY SCORE High CVE 2022-4481 

The vulnerability has been patched, so you should update to version 1.6.135.

5. Starter Templates by Kadence WP

PLUGIN Starter Templates by Kadence WP PLUGIN SLUG kadence-starter-templates INSTALLATIONS 100,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 1.2.17 SEVERITY SCORE Medium CVE 2022-3679 

The vulnerability has been patched, so you should update to version 1.2.17.

6. Slimstat Analytics

PLUGIN Slimstat Analytics PLUGIN SLUG wp-slimstat INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 4.9.3 SEVERITY SCORE High CVE 2022-4310 

The vulnerability has been patched, so you should update to version 4.9.3.

7. WPtouch

PLUGIN WPtouch PLUGIN SLUG wptouch INSTALLATIONS 100,000+ VULNERABILITY Admin+ PHP Object Injection; Admin+ Arbitrary File Upload PATCHED IN VERSION 4.3.45 SEVERITY SCORE Medium CVE 2022-3417 

The vulnerability has been patched, so you should update to version 4.3.45.

8. Royal Elementor Addons

PLUGIN Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets) PLUGIN SLUG royal-elementor-addons INSTALLATIONS 100,000+ VULNERABILITY Subscriber+ Arbitrary Post Creation; Subscriber+ Arbitrary Post Deletion PATCHED IN VERSION 1.3.56 SEVERITY SCORE Medium CVE 2022-4103 

The vulnerability has been patched, so you should update to version 1.3.56.

9. Permalink Manager Lite

PLUGIN Permalink Manager Lite PLUGIN SLUG permalink-manager INSTALLATIONS 70,000+ VULNERABILITY Authenticated Stored XSS PATCHED IN VERSION 2.3.0 SEVERITY SCORE Medium CVE 2022-4410 

The vulnerability has been patched, so you should update to version 2.3.0.

10. WOOCS

PLUGIN WOOCS – Currency Switcher for WooCommerce Professional PLUGIN SLUG woocommerce-currency-switcher INSTALLATIONS 70,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.3.9.4 SEVERITY SCORE High CVE 2022-4431 

The vulnerability has been patched, so you should update to version 1.3.9.4.

11. WP Recipe Maker

PLUGIN WP Recipe Maker PLUGIN SLUG wp-recipe-maker INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 8.6.1 SEVERITY SCORE High CVE 2022-4468 

The vulnerability has been patched, so you should update to version 8.6.1.

12. Metricool

PLUGIN Metricool PLUGIN SLUG metricool INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.18 SEVERITY SCORE Low CVE 2022-4299 

The vulnerability has been patched, so you should update to version 1.18.

13. WP Custom Admin Interface

PLUGIN WP Custom Admin Interface PLUGIN SLUG wp-custom-admin-interface INSTALLATIONS 30,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 7.29 SEVERITY SCORE Medium CVE 2022-4043 

The vulnerability has been patched, so you should update to version 7.29.

14. Jetpack CRM

PLUGIN Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation PLUGIN SLUG zero-bs-crm INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 5.5 SEVERITY SCORE High CVE 2022-4497

The vulnerability has been patched, so you should update to version 5.5.

15. Image Hover Effects Ultimate

PLUGIN Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) PLUGIN SLUG image-hover-effects-ultimate INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 9.8.5 SEVERITY SCORE Low CVE 2022-4207 

The vulnerability has been patched, so you should update to version 9.8.5.

16. Multi Step Form

PLUGIN Multi Step Form PLUGIN SLUG multi-step-form INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.7.8 SEVERITY SCORE Low CVE 2022-4196 

The vulnerability has been patched, so you should update to version 1.7.8.

17. ActiveCampaign for WooCommerce

PLUGIN ActiveCampaign for WooCommerce PLUGIN SLUG activecampaign-for-woocommerce INSTALLATIONS 8,000+ VULNERABILITY Subscriber+ Error Log Cleanup PATCHED IN VERSION 1.9.8 SEVERITY SCORE Medium CVE 2022-3923 

The vulnerability has been patched, so you should update to version 1.9.8.

18. Vision Interactive For WordPress

PLUGIN Vision Interactive For WordPress PLUGIN SLUG vision INSTALLATIONS 3,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.5.4 SEVERITY SCORE High CVE 2022-4391 

The vulnerability has been patched, so you should update to version 1.5.4.

19. Sunshine Photo Cart

PLUGIN Sunshine Photo Cart PLUGIN SLUG sunshine-photo-cart INSTALLATIONS 1,000+ VULNERABILITY Reflected XSS PATCHED IN VERSION 2.9.15 SEVERITY SCORE High CVE 2022-4301 

The vulnerability has been patched, so you should update to version 2.9.15.

20. Post Status Notifier Lite

PLUGIN Post Status Notifier Lite PLUGIN SLUG post-status-notifier-lite INSTALLATIONS 1,000+ VULNERABILITY Reflected XSS PATCHED IN VERSION 1.10.1 SEVERITY SCORE High CVE 2022-4325

The vulnerability has been patched, so you should update to version 1.10.1.

21. WordPress Events Calendar Plugin

PLUGIN WordPress Events Calendar Plugin – connectDaily PLUGIN SLUG connect-daily-web-calendar INSTALLATIONS 200+ VULNERABILITY Multiple Reflected XSS PATCHED IN VERSION 1.4.5 SEVERITY SCORE High CVE 2022-4320 

The vulnerability has been patched, so you should update to version 1.4.5.

22. WPQA

PLUGIN WPQA Builder PLUGIN SLUG wpqa VULNERABILITY Missing validation lead to functionality abuse PATCHED IN VERSION 5.9.3 SEVERITY SCORE Low CVE 2022-3343 

The vulnerability has been patched, so you should update to version 5.9.3.

23. Mautic Integration For WooCommerce

PLUGIN Mautic Integration for WooCommerce PLUGIN SLUG mautic-integration-for-woocommerce VULNERABILITY Arbitrary Options Update via CSRF PATCHED IN VERSION 1.0.3 SEVERITY SCORE High CVE 2022-4426 

The vulnerability has been patched, so you should update to version 1.0.3.

24. iPages Flipbook For WordPress

PLUGIN iPages Flipbook For WordPress PLUGIN SLUG ipages-flipbook VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.4.7 SEVERITY SCORE Medium CVE 2022-4394 

The vulnerability has been patched, so you should update to version 1.4.7.


WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Mega Addons For WPBakery Page Builder

PLUGIN Mega Addons For WPBakery Page Builder PLUGIN SLUG mega-addons-for-visual-composer INSTALLATIONS 60,000+ VULNERABILITY Subscriber+ Settings Update PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4501 

The vulnerability has not been patched. You should deactivate the plugin.

iPanorama 360 WordPress Virtual Tour Builder

PLUGIN iPanorama 360 WordPress Virtual Tour Builder PLUGIN SLUG ipanorama-360-virtual-tour-builder-lite INSTALLATIONS 7,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE High CVE 2022-4392 

The vulnerability has not been patched. You should deactivate the plugin.

ImageLinks Interactive Image Builder for WordPress

PLUGIN ImageLinks Interactive Image Builder for WordPress PLUGIN SLUG imagelinks-interactive-image-builder-lite INSTALLATIONS 3,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE High CVE 2022-4393 

The vulnerability has not been patched. You should deactivate the plugin.

WP CSV

PLUGIN WP CSV PLUGIN SLUG wp-csv VULNERABILITY Reflected XSS via CSV Import PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4368 

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Table Reloaded

PLUGIN WP-Table Reloaded PLUGIN SLUG wp-table-reloaded VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE High CVE 2022-4491 

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Bg Bible References

PLUGIN Bg Bible References PLUGIN SLUG bg-biblie-references VULNERABILITY Reflected XSS PATCHED IN VERSION No Fix SEVERITY SCORE High CVE 2022-4374 

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

404 to Start

PLUGIN 404 to Start PLUGIN SLUG 404-to-start VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3855 

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

1. WPQA

THEME Himer THEME SLUG himer VULNERABILITY Missing validation lead to functionality abuse PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3343 

The vulnerability has not been patched. You should switch themes.



If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

The information for this blog post was taken from iThemes Vulnerability Roundup

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!

Back to list