WordPress Vulnerabilities & Patch Roundup — April 2022

  • April 26, 2022
April 2022 Sucuri Vulnerability Roundup

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

Remote Code Execution (RCE)

Elementor WordPress Plugin

  • Installations: 5,000,000+
  • Patched Version: 3.6.3
  • Vulnerability: Remote code execution (RCE)
  • Severity: Critical
  • CVE: CVE-2022-1329

This critical vulnerability leverages a lack of capability checks found in vulnerable versions of the Elementor plugin.

Attackers are able to upload and execute malicious code as a fake plugin archive file using the vulnerable upload_and_install_pro action to compromise vulnerable websites. By exploiting this vulnerability, attackers can easily take over the whole site and access resources on the web server.

Mitigation steps: Update the plugin to version 3.6.3 or greater as soon as possible.

Broken Access Control

Advanced Custom Fields WordPress Plugin

This vulnerability leverages insufficient authorisation checks for authenticated users found in vulnerable versions of the Advanced Custom Fields and Advanced Custom Fields Pro plugins.

Attackers with access to a role equal or higher to Contributor are able to view information on the database without access permission, which can lead to exposure of sensitive information.

Mitigation steps: Update the Advanced Custom Fields and Advanced Custom Fields Pro plugins to version 5.12.1 or greater as soon as possible.

 

Sitemap by click5

This vulnerability leverages insufficient validation when updating the site options, meaning an unauthenticated attacker can change arbitrary site options to take over the website such as by enabling registration and setting the default user role to Administrator.

Mitigation steps: Update the plugin to version 1.0.36 or greater as soon as possible.

Cross Site Scripting (XSS)

WP DSGVO Tools (GDPR)

  • Installations: 20,000+
  • Patched Version: 3.1.24
  • Vulnerability: XSS
  • Severity: Medium

This vulnerability is caused by a lack of authorization in addition to a lack of sanitization for user-supplied input in vulnerable versions of the WP DSGVO Tools (GDPR) Plugin.

Attackers can leverage this vulnerability to update the plugin settings and inject an XSS payload, which will then be triggered on all pages visited.

Mitigation steps: Update the plugin to version 3.1.24 or greater as soon as possible.

SQLi

We tracked a number of SQL injection vulnerabilities in April which are blocked by our generic firewall rules. These vulnerabilities are due to parameters that are not properly validated, escaped, or sanitized prior to use in SQL queries.

Attackers are able to leverage these vulnerabilities to inject malicious SQL which interferes with queries and extract sensitive information from the database.

 

Photo Gallery

  • Installations: 300,000+
  • Patched Version: 1.6.3
  • Vulnerability: SQLi
  • Severity: High
  • CVE: CVE-2022-1281

This vulnerability is caused by a lack of sanitation within the filters, where the plugin does not properly escape the $_POST[‘filter_tag’] parameter before adding it to a SQL query. It is especially dangerous as it does not require any permissions and is available for unauthenticated visitors.

Mitigation steps: Update the plugin to version 1.6.3 or greater as soon as possible.

 

MapSVG

  • Installations: 10,000+
  • Patched Version: 6.2.20
  • Vulnerability: SQLi
  • Severity: Medium
  • CVE: CVE-2022-0592

Mitigation steps: Update the plugin to version 6.2.20 or greater as soon as possible.

 

Infographic Maker – iList

  • Installations: 1,000+
  • Patched Version: 4.3.8
  • Vulnerability: SQLi
  • Severity: Medium
  • CVE: CVE-2022-0747

This vulnerability is due to the improper implementation of the post_id parameter. Both unauthenticated and authenticated attackers are able to leverage the qcld_upvote_action AJAX action to inject malicious SQL.

Mitigation steps: Update the plugin to version 4.3.8 or greater as soon as possible.

 

BadgeOS

  • Installations: 1,000+
  • Patched Version: No known fix: Plugin closed
  • Vulnerability: SQLi
  • Severity: Medium
  • CVE: CVE-2022-0817

Mitigation steps: This plugin has been closed as of March 29th, 2022. Remove the plugin until a known fix is available.

WordPress 5.9.3 Core Updates

A new core update for WordPress has been released which features 19 bug fixes. We strongly encourage you to keep your CMS patched with the latest core updates to mitigate risk.

Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

Related Tags
Related Categories
You May Also Like