WordPress Vulnerabilities & Patch Roundup — August 2022

August 2022 WordPress Vulnerabilities Roundup

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed in this roundup are virtually patched by the Sucuri Firewall and existing clients are protected.


WordPress 6.0.2 Core Update

A new core update for WordPress has been released which features security and bug fixes in WordPress 6.0.2. We strongly encourage you to always keep your CMS patched with the latest core updates to mitigate risk and protect your site.


All-in-One WP Migration — Unauthenticated Reflected Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2546
Number of Installations: 4,000,000+
Affected Software: All-in-One WP Migration <= 7.6.2
Patched Versions: All-in-One WP Migration 7.6.3

This vulnerability leverages an improperly escaped response from the ai1wm action, which allows an attacker to craft a request that injects arbitrary HTML or JavaScript into the response when submitted by any visitor which is then executed within the victim’s session.

Mitigation steps: Update to All-in-One WP Migration plugin version 7.6.3 or greater.


Advanced Custom Fields – Unauthenticated File Upload

Security Risk: High
Exploitation Level: Can be exploited remotely without any authentication.
Vulnerability: Injection
CVE: CVE-2022-2594
Number of Installations: 2,000,000+
Affected Software: Advanced Custom Fields <= 5.12.2
Patched Versions: Advanced Custom Fields 5.12.3

This vulnerability allows unauthenticated users to upload arbitrary files allowed in the default WordPress configuration if a front-end form is available.

Mitigation steps: Update to Advanced Custom Fields plugin version 5.12.3 or greater.


Autoptimize Plugin — Authenticated Stored Cross-Site Scripting vulnerability

Security Risk:  Medium
Exploitation Level: Requires a high role user authentication like Admin.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2635
Number of Installations: 1,000,000+
Affected Software: Autoptimize Plugin <= 3.1.0
Patched Versions: Autoptimize Plugin 3.1.1

The plugin does not properly sanitize or escape the action before it is returned to the front-end, which can allow Admins and other high privilege users to insert arbitrary javascript code even when the unfiltered_html capability is disabled.

Mitigation steps: Update to Autoptimize Plugin plugin version 3.1.1 or greater.


Better Search Replace — Authenticated SQL Injection (SQLi)

Security Risk: Medium
Exploitation Level: Requires a high role user authentication like Admin.
Vulnerability: SQL Injection
CVE: CVE-2022-2593
Number of Installations: 1,000,000+
Affected Software: Better Search Replace  <= 1.4
Patched Versions: Better Search Replace  1.4.1

Table data is not properly sanitized or escaped before it is inserted into an SQL query, which can allow Admins and other high privilege users to perform an SQL injection attack.

Mitigation steps: Update to Better Search Replace plugin version 1.4.1 or greater.


Broken Link Checker – Authenticated PHAR Deserialization

Security Risk: Small
Exploitation Level: Requires a high role user authentication like Admin.
Vulnerability: Insecure Deserialization
CVE: CVE-2022-2438
Number of Installations: 700,000+
Affected Software: Broken Link Checker <= 1.11.16
Patched Versions: Broken Link Checker 1.11.17

The $log_file value is not properly validated which allows admin roles and higher to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present.

Mitigation steps: Update to Broken Link Checker plugin version 1.11.17 or greater.


Photo Gallery — Reflected Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link while the plugin is displaying a notice
Vulnerability: Cross Site Scripting (XSS)
CVE: N/A
Number of Installations: 300,000+
Affected Software: Photo Gallery <= 1.7.0
Patched Versions: Photo Gallery 1.7.1

Some URLs are not properly escaped before outputting back into attributes, which can lead to reflected cross-site scripting attacks.

Mitigation steps: Update to Photo Gallery plugin version 1.7.1 or greater.


WooCommerce PDF Invoices & Packing Slips – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2537
Number of Installations: 700,000+
Affected Software: WooCommerce PDF Invoices & Packing Slips <= 3.0.0
Patched Versions: WooCommerce PDF Invoices & Packing Slips 3.0.1

Some parameters are not escaped before outputting them back into the attributes of an Admin page, making it possible for attackers to launch reflected cross-site scripting attacks.

Mitigation steps: Update WooCommerce PDF Invoices & Packing Slips plugin to version 3.0.1 or greater.


WPvivid Backup & MIgration – Authenticated PHAR Deserialization

Security Risk: Small
Exploitation Level: Requires a high role user authentication like Admin.
Vulnerability: Insecure Deserialization
CVE: CVE-2022-2442
Number of Installations: 200,000+
Affected Software: WPvivid Backup & MIgration <= 0.9.74
Patched Versions: WPvivid Backup & MIgration 0.9.75

The path parameter is not properly validated, which can allow users with Admin privileges to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present. To successfully execute the vulnerability, an attacker must first be able to upload a file with the serialized payload.

Mitigation steps: Update to WPvivid Backup & MIgration plugin version 0.9.75 or greater.


Anti-Malware Security and Brute-Force Firewall – Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2599
Number of Installations: 200,000+
Affected Software: Anti-Malware Security and Brute-Force Firewall <= 4.21.74
Patched Versions: Anti-Malware Security and Brute-Force Firewall 4.21.83

Some parameters are not properly sanitized and escaped before they are outputted back into the Admin dashboard, which can lead to reflected cross-site scripting attacks.

Mitigation steps: Update to Anti-Malware Security and Brute-Force Firewall plugin version 4.21.83 or greater.


Download Manager – Authenticated PHAR Deserialization

Security Risk: Small
Exploitation Level: Requires contributor role or higher.
Vulnerability: Insecure Deserialization
CVE: CVE-2022-2436
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.2.49
Patched Versions: Download Manager 3.2.50

The file[package_dir] parameter is not properly validated which allows users with contributor privileges to call files using a PHAR wrapper. This technique deserializes data, allowing the attacker to call arbitrary PHP objects when a POP (Property Oriented Programming) chain is present. To successfully execute the vulnerability, an attacker must first be able to upload a file with the serialized payload.

Mitigation steps: Update to Download Manager plugin version 3.2.50 or greater.


String Locator – Authenticated PHAR Deserialization vulnerability

Security Risk: Small
Exploitation Level: Requires an Admin to open a malicious link.
Vulnerability: Insecure Deserialization
CWE: CVE-2022-2434
Number of Installations: 100,000+
Affected Software: String Locator <= 2.5.0
Patched Versions:  String Locator 2.6.0

A parameter is not properly validated, which can lead to PHAR deserialization if an attacker manages to upload a file containing a gadget chain and has a logged in Admin open a malicious link.

Mitigation steps: Update to String Locator plugin version 2.60 or greater.


WP Hide & Security Enhancer — Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2538
Number of Installations: 80,000+
Affected Software: WP Hide Security Enhancer <= 1.7.9.2
Patched Versions: WP Hide Security Enhancer 1.8

A parameter is not properly escaped before being outputted back into an attribute of a backend page, which can lead to a reflected cross-site scripting attack.

Mitigation steps: Update to WP Hide & Security Enhancer plugin version 1.8 or greater.


Social Slider Feed — Reflected Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Cross Site Scripting (XSS)
CVE: CWE-79
Number of Installations: 80,000+
Affected Software: Social Slider Feed <= 2.0.4
Patched Versions: Social Slider Feed 2.0.5

Some URLs are not properly escaped before being outputted back into attributes, which can lead to a reflected cross-site scripting attack.

Mitigation steps: Update to Social Slider Feed plugin version 2.0.5 or greater.


Ajax Load More — PHAR Deserialization via Cross-Site Request Forgery (CSRF)

Security Risk: Small
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Insecure Deserialization
CVE: CVE-2022-2433
Number of Installations: 50,000+
Affected Software: Ajax Load More <= 5.5.3
Patched Versions: Ajax Load More 5.5.4

A parameter is not properly validated, which can lead to PHAR deserialization if an attacker manages to upload an arbitrary file and has a logged in Admin open a malicious link.

Mitigation steps: Update to Ajax Load More plugin version 5.5.4 or greater.


WP-UserOnline — Authenticated Stored Cross-Site Scripting

Security Risk: Small
Exploitation Level: Requires an Admin or other high role authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2941
Number of Installations: 20,000+
Affected Software: WP-UserOnline <= 2.88.0
Patched Versions: WP-UserOnline 2.88.1

All fields in the Naming Conventions section do not properly sanitize user input or escape it on output, making it possible for an attacker with Admin privileges to inject JavaScript into the setting which will execute whenever a user accesses the page.

This vulnerability only affects installations where unfiltered_html is disabled as well as multi-site installations.

Mitigation steps: Update to WP-UserOnline plugin version 2.88.1 or greater.


Leaflet Maps Marker — Authenticated SQL Injection

Security Risk: Small
Exploitation Level: Requires an Admin or other high role authentication.
Vulnerability: SQL Injection
CVE: CVE-2022-1123
Number of Installations: 20,000+
Affected Software: Leaflet Maps Marker  <= 3.12.4
Patched Versions: Leaflet Maps Marker 3.12.5

Parameters are not properly sanitized before they are inserted into SQL queries, allowing high privilege users to perform SQL injection attacks.

Mitigation steps: Update to Leaflet Maps Marker plugin version 3.12.5 or greater.


Affiliates Manager — Reflected Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Requires a privileged user to visit a malicious link
Vulnerability: Cross Site Scripting (XSS)

CWE: CWE-79
Number of Installations: 10,000+
Affected Software: Affiliates Manager <= 2.9.13
Patched Versions: Affiliates Manager 2.9.14

Parameters are not properly sanitized or escaped by the plugin before being outputted back in pages, which can lead to reflected cross-site scripting attacks.

Mitigation steps: Update to Affiliates Manager plugin version 2.9.14 or greater.


WP Sticky Button — Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Can be exploited remotely without any authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2022-2375
Number of Installations: 10,000+
Affected Software: WP Sticky Button <= 1.4.0
Patched Versions: WP Sticky Button 1.4.1

Authorization and CSRF checks are not made when settings are saved, which can allow unauthenticated users to update plugin settings. Additionally, a lack of proper escaping can lead to stored cross-site scripting attacks.

Mitigation steps: Update to WP Sticky Button plugin version 1.4.1 or greater.

Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.
You May Also Like