Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
WordPress 6.0.2 Core Update
A new core update for WordPress has been released which features security and bug fixes in WordPress 6.0.2. We strongly encourage you to keep your CMS patched with the latest core updates to mitigate risk.
Youzify – Unauthenticated SQLi
Security Risk: Critical Vulnerability: SQL Injection Exploitation Level: Can be exploited remotely without authentication. CVE: CVE-2022-1950 Number of Installations: 8,000+ Affected Software: Youzify <= 1.1.9 Patched Versions: Youzify 1.2.0
This vulnerability leverages improperly sanitized and escaped parameters prior to use in a SQL statement via AJAX action. Unauthenticated attackers are able to leverage this vulnerability for SQL injection.
Mitigation steps: Update to Youzify plugin version 1.2.0 or greater.
CAPTCHA 4WP – Local File Inclusion via CSRF
Security Risk: High Vulnerability: Broken Access Control Exploitation Level: Hard CVE: CVE-2022-2184 Number of Installations: 200,000+ Affected Software: CAPTCHA 4WP <= 7.0.6.1 Patched Versions: CAPTCHA 4WP 7.1.0
User input is able to reach the sensitive require_once call in a template found on the admin side of the plugin, allowing an attacker to run arbitrary code on the server via cross-site request forgery attack.
Mitigation steps: Update to CAPTCHA 4WP plugin version 7.1.0 or greater.
OAuth Single Sign On – Broken Authentication
Security Risk: High Vulnerability: Broken Authentication and Session Management Exploitation Level: Can be exploited remotely without any authentication. CVE: CVE-2022-2133 Number of Installations: 3,000+ Affected Software: OAuth Single Sign On <= 6.22.5 Patched Versions: OAuth Single Sign On 6.22.6
Access token requests aren’t validated to ensure they are legitimate, allowing an attacker to log onto the website using a user’s email address.
Mitigation steps: Update to OAuth Single Sign On plugin version 6.22.6 or greater.
Visualizer: Tables and Charts Manager for WordPress – Contributor+ PHAR Deserialization
Security Risk: High Vulnerability: Insecure Deserialization Exploitation Level: Requires contributor or higher role user authentication. CVE: CVE-2022-2256 Number of Installations: 40,000+ Affected Software: Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 Patched Versions: Visualizer: Tables and Charts Manager for WordPress 3.7.10
The remote_data parameter is not validated which allows contributors roles and higher to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present.
Mitigation steps: Update the Visualizer: Tables and Charts Manager for WordPress plugin to version 3.7.10 or greater.
Name Directory – Reflected Cross-Site Scripting
Security Risk: Medium Vulnerability: Broken Access Control Exploitation Level: Minor CVE: CVE-2022-2072 Number of Installations: 3,000+ Affected Software: Name Directory <= 1.25. Patched Versions: Name Directory 1.25.5
A parameter is not sanitized and escaped before outputting it back in the page, which can lead to reflected cross-site scripting attacks. The payload can also be saved in the database after the request, which can lead to stored cross-site scripting.
Mitigation steps: Update to Name Directory plugin version 1.25.5 or greater.
Simple Membership – Unauthenticated Membership Privilege Escalation
Security Risk: Medium Vulnerability: Broken Authentication & Session Management Exploitation Level: Unauthenticated - Anyone can exploit it trivially CVE: CVE-2022-2317 Number of Installations: 50,000+ Affected Software: Simple Membership <= 4.1.2 Patched Versions: Simple Membership 4.1.3
Insufficient checks of a user-supplied parameter allow a user to change their plugin membership during registration. Does not impact WordPress role.
Mitigation steps: Update to Simple Membership plugin version 4.1.3 or greater.
User Private Files – Subscriber+ Arbitrary File Upload
Security Risk: Critical Vulnerability: Injection Exploitation Level: Requires subscriber or higher role user authentication. CVE: CVE-2022-2356 Number of Installations: 400+ Affected Software: User Private Files <= 1.1.2 Patched Versions: User Private Files 1.1.3
File extensions are not filtered by the plugin when users upload files to the server, allowing malicious code to be uploaded to the environment.
Mitigation steps: Update to User Private Files plugin version 1.1.3 or greater.
Advanced WordPress Reset – Reflected Cross-Site Scripting
Security Risk: Medium Vulnerability: Cross Site Scripting (XSS) Exploitation Level: Medium - requires admin to visit a link. CVE: CVE-2022-2181 Number of Installations: 40,000+ Affected Software: Simple Membership <= 1.5 Patched Versions: Simple Membership 1.6
Some generated URLs are not escaped before outputting them back into href attributes on Admin dashboard pages, making it possible for attackers to launch reflected cross-site scripting attacks.
Mitigation steps: Update Simple Membership plugin to version 1.6 or greater.
YOP Poll – IP Spoofing
Security Risk: Medium Vulnerability: Broken Access Control Exploitation Level: Trivial, but also very little impact (poll manipulation). CVE: CVE-2022-1600 Number of Installations: 20,000+ Affected Software: YOP Poll <= 6.4.2 Patched Versions: YOP Poll 6.4.3
Visitor IP is obtained in priority order from certain HTTP headers instead of REMOTE_ADDR, making it possible in certain situations for a bad actor to bypass IP-based limitations to vote.
Mitigation steps: Update to YOP Poll plugin version 6.4.3 or greater.
Header Footer Code Manager – Reflected Cross-Site Scripting
Security Risk: Medium Vulnerability: Cross-Site Scripting (XSS) Exploitation Level: Medium CVE: CVE-2022-0899 Number of Installations: 300,000+ Affected Software: Header Footer Code Manager <= 1.1.23 Patched Versions: Header Footer Code Manager 1.1.24
Generated URLS are not escaped before outputting them back in admin page attributes, which can lead to reflected cross-site scripting attacks.
Mitigation steps: Update to Header Footer Code Manager plugin version 1.1.24 or greater.
Unyson – Reflected Cross-Site Scripting
Security Risk: Medium Vulnerability: Cross-Site Scripting Exploitation Level: Medium CVE: CVE-2022-2219 Number of Installations: 200,000+ Affected Software: Unyson <= 2.7.26 Patched Versions: Unyson 2.7.27
A parameter is not sanitized and escaped before outputting it back on the page, which can lead to a reflected cross-site scripting attack.
Mitigation steps: Update to Unyson plugin version 2.7.27 or greater.
WordPress Popular Posts – Reflected Cross-Site Scripting
Security Risk: Medium Vulnerability: Cross-Site Scripting Exploitation Level: Medium CWE: CWE-79 Number of Installations: 200,000+ Affected Software: WordPress Popular Posts <= 5.5.1 Patched Versions: WordPress Popular Posts 6.0.0
Mitigation steps: Update to WordPress Popular Posts plugin version 6.0.0 or greater.
WPDating – Multiple SQL Injection Issues
Security Risk: High Vulnerability: Injection CVE: CVE-2022-2460 Affected Software: WPDating <= 7.1.9 Patched Versions: N/A
User input is not properly escaped before concatenating it to SQL queries, which can lead to multiple different types of SQL injection vulnerabilities.
Mitigation steps: No known fix. Uninstall plugin until patch is available.
Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.
Victor Santoyo
Eli Lopez
Bruno Zanelato
Marc Kranat
Luke Leal
Ben Martin
Gerson Ruiz
Moe O