Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed in this roundup are virtually patched by the Sucuri Firewall and existing clients are protected.
WordPress 6.0.2 Core Update
A new core update for WordPress has been released which features security and bug fixes in WordPress 6.0.2. We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your site.
All-in-One WP Migration — Unauthenticated Reflected Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2546 Number of Installations: 4,000,000+ Affected Software: All-in-One WP Migration <= 7.6.2 Patched Versions: All-in-One WP Migration 7.6.3
This vulnerability leverages an improperly escaped response from the ai1wm action, which allows an attacker to craft a request that injects arbitrary HTML or JavaScript into the response when submitted by any visitor which is then executed within the victim’s session.
Mitigation steps: Update to All-in-One WP Migration plugin version 7.6.3 or greater.
Advanced Custom Fields – Unauthenticated File Upload
Security Risk: High Exploitation Level: Can be exploited remotely without any authentication. Vulnerability: Injection CVE: CVE-2022-2594 Number of Installations: 2,000,000+ Affected Software: Advanced Custom Fields <= 5.12.2 Patched Versions: Advanced Custom Fields 5.12.3
This vulnerability allows unauthenticated users to upload arbitrary files allowed in the default WordPress configuration if a front-end form is available.
Mitigation steps: Update to Advanced Custom Fields plugin version 5.12.3 or greater.
Autoptimize Plugin — Authenticated Stored Cross-Site Scripting vulnerability
Security Risk: Medium Exploitation Level: Requires a high role user authentication like Admin. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2635 Number of Installations: 1,000,000+ Affected Software: Autoptimize Plugin <= 3.1.0 Patched Versions: Autoptimize Plugin 3.1.1
The plugin does not properly sanitize or escape the action before it is returned to the front-end, which can allow Admins and other high privilege users to insert arbitrary javascript code even when the unfiltered_html capability is disabled.
Mitigation steps: Update to Autoptimize Plugin plugin version 3.1.1 or greater.
Better Search Replace — Authenticated SQL Injection (SQLi)
Security Risk: Medium Exploitation Level: Requires a high role user authentication like Admin. Vulnerability: SQL Injection CVE: CVE-2022-2593 Number of Installations: 1,000,000+ Affected Software: Better Search Replace <= 1.4 Patched Versions: Better Search Replace 1.4.1
Table data is not properly sanitized or escaped before it is inserted into an SQL query, which can allow Admins and other high privilege users to perform an SQL injection attack.
Mitigation steps: Update to Better Search Replace plugin version 1.4.1 or greater.
Broken Link Checker – Authenticated PHAR Deserialization
Security Risk: Small Exploitation Level: Requires a high role user authentication like Admin. Vulnerability: Insecure Deserialization CVE: CVE-2022-2438 Number of Installations: 700,000+ Affected Software: Broken Link Checker <= 1.11.16 Patched Versions: Broken Link Checker 1.11.17
The $log_file value is not properly validated which allows admin roles and higher to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present.
Mitigation steps: Update to Broken Link Checker plugin version 1.11.17 or greater.
Photo Gallery — Reflected Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link while the plugin is displaying a notice Vulnerability: Cross Site Scripting (XSS) CVE: N/A Number of Installations: 300,000+ Affected Software: Photo Gallery <= 1.7.0 Patched Versions: Photo Gallery 1.7.1
Some URLs are not properly escaped before outputting back into attributes, which can lead to reflected cross-site scripting attacks.
Mitigation steps: Update to Photo Gallery plugin version 1.7.1 or greater.
WooCommerce PDF Invoices & Packing Slips – Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2537 Number of Installations: 700,000+ Affected Software: WooCommerce PDF Invoices & Packing Slips <= 3.0.0 Patched Versions: WooCommerce PDF Invoices & Packing Slips 3.0.1
Some parameters are not escaped before outputting them back into the attributes of an Admin page, making it possible for attackers to launch reflected cross-site scripting attacks.
Mitigation steps: Update WooCommerce PDF Invoices & Packing Slips plugin to version 3.0.1 or greater.
WPvivid Backup & MIgration – Authenticated PHAR Deserialization
Security Risk: Small Exploitation Level: Requires a high role user authentication like Admin. Vulnerability: Insecure Deserialization CVE: CVE-2022-2442 Number of Installations: 200,000+ Affected Software: WPvivid Backup & MIgration <= 0.9.74 Patched Versions: WPvivid Backup & MIgration 0.9.75
The path parameter is not properly validated, which can allow users with Admin privileges to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present. To successfully execute the vulnerability, an attacker must first be able to upload a file with the serialized payload.
Mitigation steps: Update to WPvivid Backup & MIgration plugin version 0.9.75 or greater.
Anti-Malware Security and Brute-Force Firewall – Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2599 Number of Installations: 200,000+ Affected Software: Anti-Malware Security and Brute-Force Firewall <= 4.21.74 Patched Versions: Anti-Malware Security and Brute-Force Firewall 4.21.83
Some parameters are not properly sanitized and escaped before they are outputted back into the Admin dashboard, which can lead to reflected cross-site scripting attacks.
Mitigation steps: Update to Anti-Malware Security and Brute-Force Firewall plugin version 4.21.83 or greater.
Download Manager – Authenticated PHAR Deserialization
Security Risk: Small Exploitation Level: Requires contributor role or higher. Vulnerability: Insecure Deserialization CVE: CVE-2022-2436 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.2.49 Patched Versions: Download Manager 3.2.50
The file[package_dir] parameter is not properly validated which allows users with contributor privileges to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present. To successfully execute the vulnerability, an attacker must first be able to upload a file with the serialized payload.
Mitigation steps: Update to Download Manager plugin version 3.2.50 or greater.
String Locator – Authenticated PHAR Deserialization vulnerability
Security Risk: Small Exploitation Level: Requires an Admin to open a malicious link. Vulnerability: Insecure Deserialization CWE: CVE-2022-2434 Number of Installations: 100,000+ Affected Software: String Locator <= 2.5.0 Patched Versions: String Locator 2.6.0
A parameter is not properly validated, which can lead to PHAR deserialization if an attacker manages to upload a file containing a gadget chain and has a logged in Admin open a malicious link.
Mitigation steps: Update to String Locator plugin version 2.60 or greater.
WP Hide & Security Enhancer — Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2538 Number of Installations: 80,000+ Affected Software: WP Hide Security Enhancer <= 1.7.9.2 Patched Versions: WP Hide Security Enhancer 1.8
A parameter is not properly escaped before being outputted back into an attribute of a backend page, which can lead to a reflected cross-site scripting attack.
Mitigation steps: Update to WP Hide & Security Enhancer plugin version 1.8 or greater.
Social Slider Feed — Reflected Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Cross Site Scripting (XSS) CVE: CWE-79 Number of Installations: 80,000+ Affected Software: Social Slider Feed <= 2.0.4 Patched Versions: Social Slider Feed 2.0.5
Some URLs are not properly escaped before being outputted back into attributes, which can lead to a reflected cross-site scripting attack.
Mitigation steps: Update to Social Slider Feed plugin version 2.0.5 or greater.
Ajax Load More — PHAR Deserialization via Cross-Site Request Forgery (CSRF)
Security Risk: Small Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Insecure Deserialization CVE: CVE-2022-2433 Number of Installations: 50,000+ Affected Software: Ajax Load More <= 5.5.3 Patched Versions: Ajax Load More 5.5.4
A parameter is not properly validated, which can lead to PHAR deserialization if an attacker manages to upload an arbitrary file and has a logged in Admin open a malicious link.
Mitigation steps: Update to Ajax Load More plugin version 5.5.4 or greater.
WP-UserOnline — Authenticated Stored Cross-Site Scripting
Security Risk: Small Exploitation Level: Requires an Admin or other high role authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2941 Number of Installations: 20,000+ Affected Software: WP-UserOnline <= 2.88.0 Patched Versions: WP-UserOnline 2.88.1
All fields in the Naming Conventions section do not properly sanitize user input or escape it on output, making it possible for an attacker with Admin privileges to inject JavaScript into the setting which will execute whenever a user accesses the page.
This vulnerability only affects installations where unfiltered_html is disabled as well as multi-site installations.
Mitigation steps: Update to WP-UserOnline plugin version 2.88.1 or greater.
Leaflet Maps Marker — Authenticated SQL Injection
Security Risk: Small Exploitation Level: Requires an Admin or other high role authentication. Vulnerability: SQL Injection CVE: CVE-2022-1123 Number of Installations: 20,000+ Affected Software: Leaflet Maps Marker <= 3.12.4 Patched Versions: Leaflet Maps Marker 3.12.5
Parameters are not properly sanitized before they are inserted into SQL queries, allowing high privilege users to perform SQL injection attacks.
Mitigation steps: Update to Leaflet Maps Marker plugin version 3.12.5 or greater.
Affiliates Manager — Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires a privileged user to visit a malicious link Vulnerability: Cross Site Scripting (XSS) CWE: CWE-79 Number of Installations: 10,000+ Affected Software: Affiliates Manager <= 2.9.13 Patched Versions: Affiliates Manager 2.9.14
Parameters are not properly sanitized or escaped by the plugin before being outputted back in pages, which can lead to reflected cross-site scripting attacks.
Mitigation steps: Update to Affiliates Manager plugin version 2.9.14 or greater.
WP Sticky Button — Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Can be exploited remotely without any authentication. Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2022-2375 Number of Installations: 10,000+ Affected Software: WP Sticky Button <= 1.4.0 Patched Versions: WP Sticky Button 1.4.1
Authorization and CSRF checks are not made when settings are saved, which can allow unauthenticated users to update plugin settings. Additionally, a lack of proper escaping can lead to stored cross-site scripting attacks.
Mitigation steps: Update to WP Sticky Button plugin version 1.4.1 or greater.
Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.