NEWS

WordPress Vulnerability Report – January 2023 Part 1

Threat Alerts / January 04, 2023

Be sure to update to WordPress 6.1.1 as soon as possible!

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

WordPress Core Vulnerabilities

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

1. All In One WP Security & Firewall

PLUGIN All-In-One Security (AIOS) – Security and Firewall PLUGIN SLUG all-in-one-wp-security-and-firewall INSTALLATIONS 1,000,000+ VULNERABILITY Configuration Leak PATCHED IN VERSION 5.1.3 SEVERITY SCORE Medium CVE 2022-4346

The vulnerability has been patched, so you should update to version 5.1.3.

2. WP Statistics

PLUGIN WP Statistics PLUGIN SLUG wp-statistics INSTALLATIONS 600,000+ VULNERABILITY Authenticated SQLi PATCHED IN VERSION 13.2.9 SEVERITY SCORE High CVE 2022-4230

The vulnerability has been patched, so you should update to version 13.2.9.

3. Sassy Social Share

PLUGIN Social Sharing Plugin – Sassy Social Share PLUGIN SLUG sassy-social-share INSTALLATIONS 100,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.3.45 SEVERITY SCORE Medium CVE 2022-4451

The vulnerability has been patched, so you should update to version 3.3.45.

4. Google Analyticator

PLUGIN Analyticator PLUGIN SLUG google-analyticator INSTALLATIONS 100,000+ VULNERABILITY Admin+ PHP Object Injection PATCHED IN VERSION 6.5.6 SEVERITY SCORE Low CVE 2022-4323

The vulnerability has been patched, so you should update to version 6.5.6.

5. Simple Sitemap

PLUGIN Simple Sitemap – Create a Responsive HTML Sitemap PLUGIN SLUG simple-sitemap INSTALLATIONS 90,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.5.8 SEVERITY SCORE Medium CVE 2022-4472

The vulnerability has been patched, so you should update to version 3.5.8.

6. Booster for WooCommerce

PLUGIN Booster for WooCommerce PLUGIN SLUG woocommerce-jetpack INSTALLATIONS 70,000+ VULNERABILITY Multiple CSRF PATCHED IN VERSION 6.0.1 SEVERITY SCORE Medium CVE 2022-4017

The vulnerability has been patched, so you should update to version 6.0.1.

7. Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

PLUGIN Easy Social Feed – Social Photos Gallery – Post Feed – Like Box PLUGIN SLUG easy-facebook-likebox INSTALLATIONS 70,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 6.4.0 SEVERITY SCORE Medium CVE 2022-4474

The vulnerability has been patched, so you should update to version 6.4.0.

8. Collapse-O-Matic

PLUGIN Collapse-O-Matic PLUGIN SLUG jquery-collapse-o-matic INSTALLATIONS 60,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.8.3 SEVERITY SCORE Medium CVE 2022-4475

The vulnerability has been patched, so you should update to version 1.8.3.

9. Search & Filter

PLUGIN Search & Filter PLUGIN SLUG search-filter INSTALLATIONS 50,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.2.16 SEVERITY SCORE Medium CVE 2022-4467

The vulnerability has been patched, so you should update to version 1.2.16.

10. Content Control

PLUGIN Content Control – User Access Restriction Plugin PLUGIN SLUG content-control INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.1.10 SEVERITY SCORE Medium CVE 2022-4509

The vulnerability has been patched, so you should update to version 1.1.10.

11. Page-list

PLUGIN Page-list PLUGIN SLUG page-list INSTALLATIONS 40,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 5.3 SEVERITY SCORE Medium CVE 2022-4485

The vulnerability has been patched, so you should update to version 5.3.

12. OneClick Chat to Order

PLUGIN OneClick Chat to Order PLUGIN SLUG oneclick-whatsapp-order INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.0.4.2 SEVERITY SCORE Medium CVE 2022-4760

The vulnerability has been patched, so you should update to version 1.0.4.2.

13. Sitemap

PLUGIN Sitemap PLUGIN SLUG sitemap INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.4 SEVERITY SCORE Medium CVE 2022-4545

The vulnerability has been patched, so you should update to version 4.4.

14. Compact WP Audio Player

PLUGIN Compact WP Audio Player PLUGIN SLUG compact-wp-audio-player INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 1.9.8 SEVERITY SCORE Medium CVE 2022-4542

The vulnerability has been patched, so you should update to version 1.9.8.

15. WP Popups

PLUGIN WP Popups – WordPress Popup builder PLUGIN SLUG wp-popups-lite INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 2.1.4.8 SEVERITY SCORE Medium CVE 2022-4716

The vulnerability has been patched, so you should update to version 2.1.4.8.

16. Top 10

PLUGIN Top 10 – Popular posts plugin for WordPress PLUGIN SLUG top-10 INSTALLATIONS 30,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 3.2.3 SEVERITY SCORE Medium CVE 2022-4570

The vulnerability has been patched, so you should update to version 3.2.3.

17. Login Logout Menu

PLUGIN Login Logout Menu PLUGIN SLUG login-logout-menu INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 1.4.0 SEVERITY SCORE Medium CVE 2022-4625

The vulnerability has been patched, so you should update to version 1.4.0.

18. ShiftNav – Responsive Mobile Menu

PLUGIN ShiftNav – Responsive Mobile Menu PLUGIN SLUG shiftnav-responsive-mobile-menu INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 1.7.2 SEVERITY SCORE Medium CVE 2022-4627

The vulnerability has been patched, so you should update to version 1.7.2.

19. Product Slider for WooCommerce

PLUGIN Product Slider for WooCommerce PLUGIN SLUG woo-product-slider INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 2.6.4 SEVERITY SCORE Medium CVE 2022-4629

The vulnerability has been patched, so you should update to version 2.6.4.

20. Mongoose Page Plugin

PLUGIN Mongoose Page Plugin PLUGIN SLUG facebook-page-feed-graph-api INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.9.0 SEVERITY SCORE Medium CVE 2022-4675

The vulnerability has been patched, so you should update to version 1.9.0.

21. Rate my Post – WP Rating

PLUGIN Rate my Post – WP Rating System PLUGIN SLUG rate-my-post INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.3.9 SEVERITY SCORE Medium CVE 2022-4673

The vulnerability has been patched, so you should update to version 3.3.9.

22. WordPress Simple Shopping Cart

PLUGIN WordPress Simple Shopping Cart PLUGIN SLUG wordpress-simple-paypal-shopping-cart INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 4.6.2 SEVERITY SCORE Medium CVE 2022-4672

The vulnerability has been patched, so you should update to version 4.6.2.

23. Structured Content

PLUGIN Structured Content (JSON-LD) #wpsc PLUGIN SLUG structured-content INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 1.5.1 SEVERITY SCORE Medium CVE 2022-4715

The vulnerability has been patched, so you should update to version 1.5.1.

24. GS Logo Slider

PLUGIN GS Logo Slider – Ticker, Grid, List, Table & Filter Views PLUGIN SLUG gs-logo-slider INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 3.3.8 SEVERITY SCORE Medium CVE 2022-4624

The vulnerability has been patched, so you should update to version 3.3.8.

25. Video Conferencing with Zoom

PLUGIN Video Conferencing with Zoom PLUGIN SLUG video-conferencing-with-zoom-api INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION 4.0.10 SEVERITY SCORE Medium CVE 2022-4578

The vulnerability has been patched, so you should update to version 4.0.10.

26. Easy Appointments

PLUGIN Easy Appointments PLUGIN SLUG easy-appointments INSTALLATIONS 20,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 3.11.2 SEVERITY SCORE Medium CVE 2022-4668

The vulnerability has been patched, so you should update to version 3.11.2.

27. GeoDirectory

PLUGIN GeoDirectory – WordPress Business Directory Plugin and Classified Ads Listings PLUGIN SLUG geodirectory INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.2.22 SEVERITY SCORE Medium CVE 2022-4775

The vulnerability has been patched, so you should update to version 2.2.22.

28. Portfolio for Elementor, Image Gallery & Post Grid | PowerFolio

PLUGIN Portfolio for Elementor, Image Gallery & Post Grid | PowerFolio PLUGIN SLUG portfolio-elementor INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.3.1 SEVERITY SCORE Medium CVE 2022-4765

The vulnerability has been patched, so you should update to version 2.3.1.

29. WP Google My Business Auto Publish

PLUGIN Auto Publish for Google My Business PLUGIN SLUG wp-google-my-business-auto-publish INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 3.4 SEVERITY SCORE Medium CVE 2022-4790

The vulnerability has been patched, so you should update to version 3.4.

30. Landing Page Builder

PLUGIN Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages PLUGIN SLUG page-builder-add INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Cross-Site Scripting via Shortcode PATCHED IN VERSION 1.4.9.9 SEVERITY SCORE Medium CVE 2022-4718

The vulnerability has been patched, so you should update to version 1.4.9.9.

31. WPZOOM Portfolio

PLUGIN WPZOOM Portfolio PLUGIN SLUG wpzoom-portfolio INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.2.2 SEVERITY SCORE Medium CVE 2022-4789

The vulnerability has been patched, so you should update to version 1.2.2.

32. 10WebMapBuilder

PLUGIN 10WebMapBuilder PLUGIN SLUG wd-google-maps INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.0.72 SEVERITY SCORE Medium CVE 2022-4758

The vulnerability has been patched, so you should update to version 1.0.72.

33. Word Balloon

PLUGIN Word Balloon PLUGIN SLUG word-balloon INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 4.19.3 SEVERITY SCORE Medium CVE 2022-4751

The vulnerability has been patched, so you should update to version 4.19.3.

34. PDF Viewer

PLUGIN PDF Viewer PLUGIN SLUG pdf-viewer INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.0.0 SEVERITY SCORE Medium CVE 2023-0033

The vulnerability has been patched, so you should update to version 1.0.0.

35. Print-O-Matic

PLUGIN Print-O-Matic PLUGIN SLUG print-o-matic INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.1.8 SEVERITY SCORE Medium CVE 2022-4753

The vulnerability has been patched, so you should update to version 2.1.8.

36. HashBar – WordPress Notification Bar

PLUGIN HashBar – WordPress Notification Bar PLUGIN SLUG hashbar-wp-notification-bar INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.3.6 SEVERITY SCORE Medium CVE 2022-4650

The vulnerability has been patched, so you should update to version 1.3.6.

37. PixCodes

PLUGIN PixCodes PLUGIN SLUG pixcodes INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS in Shortcode PATCHED IN VERSION 2.3.7 SEVERITY SCORE Medium CVE 2022-4671

The vulnerability has been patched, so you should update to version 2.3.7.

38. Genesis Columns Advanced

PLUGIN Genesis Columns Advanced PLUGIN SLUG genesis-columns-advanced INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 2.0.4 SEVERITY SCORE Medium CVE 2022-4706

The vulnerability has been patched, so you should update to version 2.0.4.

39. Passster

PLUGIN Passster – Password Protection PLUGIN SLUG content-protector INSTALLATIONS 10,000+ VULNERABILITY Protection Bypass & Arbitrary Post Access; Contributor+ Stored Cross-Site Scripting PATCHED IN VERSION 3.5.5.9 SEVERITY SCORE High CVE 2021-24881

The vulnerability has been patched, so you should update to version 3.5.5.9.

40. Bold Timeline Lite

PLUGIN Bold Timeline Lite PLUGIN SLUG bold-timeline-lite INSTALLATIONS 10,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.1.5 SEVERITY SCORE Medium CVE 2022-4828

The vulnerability has been patched, so you should update to version 1.1.5.

41. Icon Widget

PLUGIN Icon Widget PLUGIN SLUG icon-widget INSTALLATIONS 9,000+ VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.3.0 SEVERITY SCORE Medium CVE 2022-4763

The vulnerability has been patched, so you should update to version 1.3.0.

42. User Verification

PLUGIN User Verification PLUGIN SLUG user-verification INSTALLATIONS 5,000+ VULNERABILITY Authentication Bypass PATCHED IN VERSION 1.0.94 SEVERITY SCORE Critical CVE 2022-4693

The vulnerability has been patched, so you should update to version 1.0.94.

43. Survey Maker

PLUGIN Survey Maker – Best WordPress Survey Plugin PLUGIN SLUG survey-maker INSTALLATIONS 3,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 3.1.4 SEVERITY SCORE High CVE 2023-0038

The vulnerability has been patched, so you should update to version 3.1.4.

44. Pardakht Delkhah

PLUGIN ?????? ?????? ?????? PLUGIN SLUG pardakht-delkhah INSTALLATIONS 1,000+ VULNERABILITY Unauthenticated Stored XSS PATCHED IN VERSION 2.9.3 SEVERITY SCORE High CVE 2022-4307

The vulnerability has been patched, so you should update to version 2.9.3.

45. Optimize images ALT Text (alt tag) & names for SEO using AI

PLUGIN Optimize images ALT Text (alt tag) & names for SEO using AI PLUGIN SLUG imageseo INSTALLATIONS 1,000+ VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 2.0.8 SEVERITY SCORE Low CVE 2022-4548

The vulnerability has been patched, so you should update to version 2.0.8.

46. FluentAuth

PLUGIN FluentAuth – The Ultimate Authorization & Security Plugin for WordPress PLUGIN SLUG fluent-security INSTALLATIONS 700+ VULNERABILITY Bypass blocks by IP Spoofing PATCHED IN VERSION 1.0.2 SEVERITY SCORE Medium CVE 2022-4746

The vulnerability has been patched, so you should update to version 1.0.2.

47. Login as User or Customer

PLUGIN Login as User or Customer PLUGIN SLUG login-as-customer-or-user INSTALLATIONS 400+ VULNERABILITY Unauthenticated Privilege Escalation to Admin PATCHED IN VERSION 3.3 SEVERITY SCORE Critical CVE 2022-4305

The vulnerability has been patched, so you should update to version 3.3.

48. Booster for WooCommerce

PLUGIN Booster Elite for WooCommerce PLUGIN SLUG booster-elite-for-woocommerce VULNERABILITY Multiple CSRF PATCHED IN VERSION 6.0.1 SEVERITY SCORE Medium CVE 2022-4017

The vulnerability has been patched, so you should update to version 6.0.1.

49. BruteBank – WP Security & Firewall

PLUGIN BruteBank – WP Security & Firewall PLUGIN SLUG brutebank VULNERABILITY Settings Update via CSRF PATCHED IN VERSION 1.9 SEVERITY SCORE Medium CVE 2022-4443

The vulnerability has been patched, so you should update to version 1.9.

50. Booster for WooCommerce

PLUGIN Booster Plus for WooCommerce PLUGIN SLUG booster-plus-for-woocommerce VULNERABILITY Multiple CSRF PATCHED IN VERSION 6.0.1 SEVERITY SCORE Medium CVE 2022-4017

The vulnerability has been patched, so you should update to version 6.0.1.

51. Justified Gallery

PLUGIN Justified Gallery PLUGIN SLUG justified-gallery VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION 1.7.1 SEVERITY SCORE Medium CVE 2022-4651

The vulnerability has been patched, so you should update to version 1.7.1.

WordPress Plugin Vulnerabilities – No Known Fix

Until a patch is available, immediately uninstall and delete the plugin.

WP Limit Login Attempts

PLUGIN WP Limit Login Attempts PLUGIN SLUG wp-limit-login-attempts INSTALLATIONS 20,000+ VULNERABILITY IP Spoofing PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4303

The vulnerability has not been patched. You should deactivate the plugin.

Members Import

PLUGIN Members Import PLUGIN SLUG members-import VULNERABILITY XSS via Imported CSV PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4663

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Accordion Shortcodes

PLUGIN Accordion Shortcodes PLUGIN SLUG accordion-shortcodes VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4781

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

CPT Bootstrap Carousel

PLUGIN CPT Bootstrap Carousel PLUGIN SLUG cpt-bootstrap-carousel VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4834

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Meteor Slides

PLUGIN Meteor Slides PLUGIN SLUG meteor-slides VULNERABILITY Contributor+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4486

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

CBX Petition for WordPress

PLUGIN CBX Petition for WordPress PLUGIN SLUG cbxpetition VULNERABILITY Unauthenticated SQLi PATCHED IN VERSION No Fix SEVERITY SCORE High CVE 2022-4383

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Social Sharing Toolkit

PLUGIN Social Sharing Toolkit PLUGIN SLUG social-sharing-toolkit VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4835

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

MediaElement.js – HTML5 Video & Audio Player

PLUGIN MediaElement.js – HTML5 Video & Audio Player PLUGIN SLUG media-element-html5-video-and-audio-player VULNERABILITY Contributor+ Stored XSS via Shortcode PATCHED IN VERSION No Fix SEVERITY SCORE Medium CVE 2022-4699

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

EU Cookie Law

PLUGIN EU Cookie Law for GDPR/CCPA PLUGIN SLUG eu-cookie-law VULNERABILITY Admin+ Stored XSS PATCHED IN VERSION No Fix SEVERITY SCORE Low CVE 2022-3811

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

1. Multiple themes – Unauthenticated Arbitrary File Upload

THEME WeStand THEME SLUG westand VULNERABILITY RCE PATCHED IN VERSION 2.1 SEVERITY SCORE Critical CVE 2022-0316

The vulnerability has been patched, so you should update to version 2.1.

WordPress Theme Vulnerabilities – No Known Fix

This section contains theme vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the theme.

Aidreform

THEME aidreform THEME SLUG aidreform VULNERABILITY Unauthenticated Arbitrary File Upload PATCHED IN VERSION No Fix SEVERITY SCORE Critical CVE 2022-0316