NEWS

WordPress Vulnerability Report – December 2022 Part 4

Threat Alerts / December 28, 2022

No new WordPress core vulnerabilities were disclosed this week. WordPress Plugin Vulnerabilities: MonsterInsights and others

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. MonsterInsights

PLUGIN MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) PLUGIN SLUG google-analytics-for-wordpress INSTALLATIONS 3,000,000+ VULNERABILITY Stored Cross-Site Scripting via Google Analytics PATCHED IN VERSION 8.9.1 SEVERITY SCORE Medium CVE 2022-3904

The vulnerability has been patched, so you should update to version 8.9.1.

2. Click to Chat

PLUGIN Click to Chat PLUGIN SLUG click-to-chat-for-whatsapp INSTALLATIONS 400,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.18.1 SEVERITY SCORE High CVE 2022-4480

The vulnerability has been patched, so you should update to version 3.18.1.

3. Font Awesome

PLUGIN Font Awesome PLUGIN SLUG font-awesome INSTALLATIONS 300,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.3.2 SEVERITY SCORE High CVE 2022-4478

The vulnerability has been patched, so you should update to version 4.3.2.

4. ProfilePress

PLUGIN Paid Membership, Ecommerce, Registration Form, Login Form, User Profile, Paywall & Restrict Content – ProfilePress PLUGIN SLUG wp-user-avatar INSTALLATIONS 300,000+ VULNERABILITY Admin+ Stored Cross-Site Scripting via Form Settings; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 4.5.1 SEVERITY SCORE Low CVE 2022-4698

The vulnerability has been patched, so you should update to version 4.5.1.

5. Table of Contents Plus

PLUGIN Table of Contents Plus PLUGIN SLUG table-of-contents-plus INSTALLATIONS 300,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2212 SEVERITY SCORE High CVE 2022-4479

The vulnerability has been patched, so you should update to version 2212.

6. Anti-Malware Security and Brute-Force Firewall

PLUGIN Anti-Malware Security and Brute-Force Firewall PLUGIN SLUG gotmls INSTALLATIONS 200,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 4.21.86 SEVERITY SCORE Low CVE 2022-4327

The vulnerability has been patched, so you should update to version 4.21.86.

7. Page Scroll To ID

PLUGIN Page scroll to id PLUGIN SLUG page-scroll-to-id INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.7.6 SEVERITY SCORE High CVE 2022-4449

The vulnerability has been patched, so you should update to version 1.7.6.

8. Real Cookie Banner

PLUGIN Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent

PLUGIN SLUG real-cookie-banner INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.4.10 SEVERITY SCORE High CVE 2022-4507

The vulnerability has been patched, so you should update to version 3.4.10.

9. Mesmerize Companion

PLUGIN Mesmerize Companion PLUGIN SLUG mesmerize-companion INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.6.135 SEVERITY SCORE High CVE 2022-4481

The vulnerability has been patched, so you should update to version 1.6.135.

10. Slimstat Analytics

PLUGIN Slimstat Analytics PLUGIN SLUG wp-slimstat INSTALLATIONS 100,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 4.9.3 SEVERITY SCORE High CVE 2022-4310

The vulnerability has been patched, so you should update to version 4.9.3.

11. Smash Balloon Social Post Feed

PLUGIN Smash Balloon Social Post Feed PLUGIN SLUG custom-facebook-feed INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.1.6 SEVERITY SCORE High CVE 2022-4477

The vulnerability has been patched, so you should update to version 4.1.6.

12. WPtouch

PLUGIN WPtouch PLUGIN SLUG wptouch INSTALLATIONS 100,000+ VULNERABILITY Admin+ PHP Object Injection; Admin+ Arbitrary File Upload PATCHED IN VERSION 4.3.45 SEVERITY SCORE Medium CVE 2022-3417

The vulnerability has been patched, so you should update to version 4.3.45.

13. Download Manager

PLUGIN Download Manager PLUGIN SLUG download-manager INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.2.62 SEVERITY SCORE High CVE 2022-4476

The vulnerability has been patched, so you should update to version 3.2.62.

14. WOOCS

PLUGIN WOOCS – Currency Switcher for WooCommerce Professional PLUGIN SLUG woocommerce-currency-switcher INSTALLATIONS 70,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.3.9.4 SEVERITY SCORE High CVE 2022-4431

The vulnerability has been patched, so you should update to version 1.3.9.4.

15. 3D FlipBook

PLUGIN 3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery PLUGIN SLUG interactive-3d-flipbook-powered-physics-engine INSTALLATIONS 70,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.13.3 SEVERITY SCORE High CVE 2022-4453

The vulnerability has been patched, so you should update to version 1.13.3.

16. Carousel, Slider, Gallery by WP Carousel

PLUGIN Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce PLUGIN SLUG wp-carousel-free INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.5.3 SEVERITY SCORE High CVE 2022-4482

The vulnerability has been patched, so you should update to version 2.5.3.

17. WP Video Lightbox

PLUGIN WP Video Lightbox PLUGIN SLUG wp-video-lightbox INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.9.7 SEVERITY SCORE High CVE 2022-4465

The vulnerability has been patched, so you should update to version 1.9.7.

18. Simple Membership

PLUGIN Simple Membership PLUGIN SLUG simple-membership INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.2.2 SEVERITY SCORE High CVE 2022-4469

The vulnerability has been patched, so you should update to version 4.2.2.

19. WP Recipe Maker

PLUGIN WP Recipe Maker PLUGIN SLUG wp-recipe-maker INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 8.6.1 SEVERITY SCORE High CVE 2022-4468

The vulnerability has been patched, so you should update to version 8.6.1.

20. Themify Portfolio Post

PLUGIN Themify Portfolio Post PLUGIN SLUG themify-portfolio-post INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.2.1 SEVERITY SCORE High CVE 2022-4464

The vulnerability has been patched, so you should update to version 1.2.1.

21. Metricool

PLUGIN Metricool PLUGIN SLUG metricool INSTALLATIONS 40,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 1.18 SEVERITY SCORE Low CVE 2022-4299

The vulnerability has been patched, so you should update to version 1.18.

22. ConvertKit

PLUGIN ConvertKit – Email Marketing, Email Newsletter and Landing Pages PLUGIN SLUG convertkit INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.0.5 SEVERITY SCORE High CVE 2022-4508

The vulnerability has been patched, so you should update to version 2.0.5.

23. Super Socializer

PLUGIN Social Share, Social Login and Social Comments Plugin – Super Socializer PLUGIN SLUG super-socializer INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 7.13.44 SEVERITY SCORE High CVE 2022-4484

The vulnerability has been patched, so you should update to version 7.13.44.

24. Real Testimonials

PLUGIN Real Testimonials PLUGIN SLUG testimonial-free INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.6.0 SEVERITY SCORE High CVE 2022-4648

The vulnerability has been patched, so you should update to version 2.6.0.

25. Easy Accordion

PLUGIN Easy Accordion – Best Accordion FAQ Plugin for WordPress PLUGIN SLUG easy-accordion-free INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.2.0 SEVERITY SCORE High CVE 2022-4487

The vulnerability has been patched, so you should update to version 2.2.0.

26. MashShare

PLUGIN Social Media Share Buttons | MashShare PLUGIN SLUG mashsharer INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.8.7 SEVERITY SCORE High CVE 2022-4544

The vulnerability has been patched, so you should update to version 3.8.7.

27. Seriously Simple Podcasting

PLUGIN Seriously Simple Podcasting PLUGIN SLUG seriously-simple-podcasting INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.19.1 SEVERITY SCORE High CVE 2022-4571

The vulnerability has been patched, so you should update to version 2.19.1.

28. Jetpack CRM

PLUGIN Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation PLUGIN SLUG zero-bs-crm INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 5.5 SEVERITY SCORE High CVE 2022-4497

The vulnerability has been patched, so you should update to version 5.5.

29. Subscribe2

PLUGIN Subscribe2 – Form, Email Subscribers & Newsletters PLUGIN SLUG subscribe2 INSTALLATIONS 30,000+ VULNERABILITY User Deletion via CSRF PATCHED IN VERSION 10.38 SEVERITY SCORE High CVE 2022-4309

The vulnerability has been patched, so you should update to version 10.38.

30. WCK

PLUGIN Custom Post Types and Custom Fields creator – WCK PLUGIN SLUG wck-custom-fields-and-custom-post-types-creator INSTALLATIONS 20,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 2.3.3 SEVERITY SCORE Low CVE 2022-4442

The vulnerability has been patched, so you should update to version 2.3.3.

31. Welcart e-Commerce

PLUGIN Welcart e-Commerce PLUGIN SLUG usc-e-shop INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.8.9 SEVERITY SCORE High CVE 2022-4655

The vulnerability has been patched, so you should update to version 2.8.9.

32. Link Library

PLUGIN Link Library PLUGIN SLUG link-library INSTALLATIONS 10,000+ VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION 7.4.1 SEVERITY SCORE Low CVE 2022-4199

The vulnerability has been patched, so you should update to version 7.4.1.

33. Greenshift – animation and page builder blocks

PLUGIN Greenshift – animation and page builder blocks PLUGIN SLUG greenshift-animation-and-page-builder-blocks INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 4.8.9 SEVERITY SCORE High CVE 2022-4653

The vulnerability has been patched, so you should update to version 4.8.9.

34. Tickera

PLUGIN Tickera – WordPress Event Ticketing PLUGIN SLUG tickera-event-ticketing-system INSTALLATIONS 5,000+ VULNERABILITY Plugin Data Deletion via CSRF PATCHED IN VERSION 3.5.1.0 SEVERITY SCORE Low CVE 2022-4549

The vulnerability has been patched, so you should update to version 3.5.1.0.

35. WP Spell Check

PLUGIN WP Spell Check PLUGIN SLUG wp-spell-check INSTALLATIONS 3,000+ VULNERABILITY Ignored Word Deletion via CSRF; Admin+ Stored Cross-Site Scripting PATCHED IN VERSION 9.13 SEVERITY SCORE Medium

The vulnerability has been patched, so you should update to version 9.13.

36. Show All Comments

PLUGIN Show All Comments PLUGIN SLUG show-all-comments-in-one-page INSTALLATIONS 900+ VULNERABILITY Reflected XSS PATCHED IN VERSION 7.0.1 SEVERITY SCORE High CVE 2022-4295

The vulnerability has been patched, so you should update to version 7.0.1.

37. WordPress Events Calendar Plugin

PLUGIN WordPress Events Calendar Plugin – connectDaily PLUGIN SLUG connect-daily-web-calendar INSTALLATIONS 200+ VULNERABILITY Multiple Reflected XSS PATCHED IN VERSION 1.4.5 SEVERITY SCORE High CVE 2022-4320

The vulnerability has been patched, so you should update to version 1.4.5.

38. Mautic Integration For WooCommerce

PLUGIN Mautic Integration for WooCommerce PLUGIN SLUG mautic-integration-for-woocommerce VULNERABILITY Arbitrary Options Update via CSRF PATCHED IN VERSION 1.0.3 SEVERITY SCORE High CVE 2022-4426

The vulnerability has been patched, so you should update to version 1.0.3.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

Conditional Payment Methods for WooCommerce

PLUGIN Conditional Payment Methods for WooCommerce PLUGIN SLUG conditional-payment-methods-for-woocommerce VULNERABILITY Admin+ SQLi PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4547