Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
Contact Form by WPForms — Authenticated Arbitrary File Access
Security Risk: Medium Exploitation Level: Requires admin or other high level authentication. Vulnerability: Injection CVE: CWE-22 Number of Installations: 5+ million Affected Software: Contact Form by WPForms <= 1.7.5.3 Patched Versions: Contact Form by WPForms 1.7.5.5
The plugin does not properly validate the email template path, potentially allowing admins or other high privilege users to access files on the web server.
Mitigation steps: Update to Contact Form by WPForms plugin version 1.7.5.5 or greater.
WordPress All in One SEO — Multiple Cross-Site Request Forgeries (CSRF’s)
Security Risk: Medium Exploitation Level: Requires an attacker to send a malicious link to a privileged user. Vulnerability: Cross Site Request Forgery CVE: CVE-2022-38093 Number of Installations: 3+ million Affected Software: WordPress All in One SEO plugin <= 4.2.3.1 Patched Versions: WordPress All in One SEO plugin 4.2.4
The plugin does not contain CSRF checks in a number of places, potentially allowing an attacker to make a logged-in user perform actions via a CSRF attack.
Mitigation steps: Update to WordPress All in One SEO plugin plugin version 4.2.4 or greater.
WordPress SVG Support — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires an author role or higher authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-1755 Number of Installations: 1 million+ Affected Software: WordPress SVG Support <= 2.4.2 Patched Versions: WordPress SVG Support 2.5
The plugin does not properly handle adding SVG images to posts, potentially allowing an attacker with author role or higher to perform a cross-site scripting attack.
Mitigation steps: Update to WordPress SVG Support plugin version 2.5 or greater.
Activity Log — CSV Injection
Security Risk: Medium Exploitation Level: Can be exploited remotely without any authentication. Requires a privileged user to export the logs and open them in a spreadsheet application. Vulnerability: CSV Injection CVE: CVE-2022-27858 Number of Installations: 200,000+ Affected Software: Activity Log <= 2.8.3 Patched Versions: Activity Log 2.8.4
The plugin fails to sanitize the content of the activity log. When an admin exports an activity log in which an attacker has injected a malicious payload in a modern spreadsheet app, an attacker can execute some malicious formulas and exfiltrate information from the site administrator.
Mitigation steps: Update to Activity Log plugin version 2.8.4 or greater.
Booster for WooCommerce — Arbitrary Order Status Update
Security Risk: Medium Exploitation Level: Requires customer role authentication. Vulnerability: Broken Access Control CVE: CVE-2022-3227 Number of Installations: 60,000+ Affected Software: Booster for WooCommerce <= 5.6.2 Patched Versions: Booster for WooCommerce 5.6.3
The plugin does not ensure that the status set is allowed, potentially allowing users to set arbitrary statuses to their own orders and mark them as paid when payment has not been fulfilled.
Mitigation steps: Update to Booster for WooCommerce plugin version 5.6.3 or greater.
WordPress SearchWP Live Ajax Search — Unauthenticated Local File Inclusion (LFI)
Security Risk: Medium Exploitation Level: Can be exploited remotely without any authentication. Vulnerability: Injection CVE: CVE-2022-3227 Number of Installations: 60,000+ Affected Software: SearchWP Live Ajax Search <= 1.6.2 Patched Versions: SearchWP Live Ajax Search 1.6.3
The plugin does not validate a parameter in an AJAX action, potentially allowing an unauthenticated attack to perform a local file inclusion attack.
Mitigation steps: Update to SearchWP Live Ajax Search plugin version 1.6.3 or greater.
Customer Reviews for WooCommerce — Sensitive Information Disclosure
Security Risk: Medium Exploitation Level: Can be exploited remotely without any authentication. Vulnerability: Sensitive Data Exposure CVE: CVE-2022-40194 Number of Installations: 50,000+ Affected Software: Customer Reviews for WooCommerce <= 5.3.5 Patched Versions: Customer Reviews for WooCommerce 5.3.6
The manipulation of an unknown input leads to information disclosure vulnerability.
Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.3.6 or greater.
Import all XML, CSV & TXT — Authenticated SQL Injection (SQLi)
Security Risk: Low Exploitation Level: Requires admin or other high level authentication. Vulnerability: Injection CVE: CVE-2022-3243 Number of Installations: 20,000+ Affected Software: Import all XML, CSV & TXT <= 6.5.7 Patched Versions: Import all XML, CSV & TXT <= 6.5.8
Due to the fact that the plugin does not properly sanitize and escape imported data prior to being used in SQL statements, admins and other high privilege user roles are able to exploit leading to SQL injection.
Mitigation steps: Update to Import all XML, CSV & TXT plugin version 6.5.8 or greater.
Top Bar — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires admin or other high level authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-2629 Number of Installations: 20,000+ Affected Software: Top Bar <= 3.0.3 Patched Versions: Top Bar 3.0.4
The plugin does not properly escape and sanitize settings prior to outputting them into pages, potentially allowing admins and other high privilege users to perform stored cross-site scripting attacks.
Mitigation steps: Update to Top Bar plugin version 3.0.4 or greater.
CallRail Phone Call Tracking — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires a privileged user to click a malicious link. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-36796 Number of Installations: 20,000+ Affected Software: CallRail Phone Call Tracking <=0.4.9 Patched Versions: CallRail Phone Call Tracking 0.4.10
The plugin does not contain a CSRF check and lacks proper sanitization and escaping in some parameters, potentially allowing an attacker to make a logged-in admin place and execute cross-site scripting (XSS) payloads.
Mitigation steps: Update to CallRail Phone Call Tracking plugin version 0.4.10 or greater.
wpForo Forum — Cross-Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: Requires a privileged user to click a malicious link. Vulnerability: Broken Access Control CVE: CVE-2022-38144 Number of Installations: 20,000+ Affected Software: wpForo Forum <= 2.0.5 Patched Versions: wpForo Forum 2.0.6
The plugin does not contain a CSRF check, potentially allowing an attacker to make a logged-in user perform malicious actions.
Mitigation steps: Update to wpForo Forum plugin version 2.0.6 or greater.
Advanced Dynamic Pricing for WooCommerce — Cross-Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: Requires a privileged user to click a malicious link. Vulnerability: Broken Access Control CVE: CVE-2022-38095 Number of Installations: 20,000+ Affected Software: Advanced Dynamic Pricing for WooCommerce <= 4.1.3 Patched Versions: Advanced Dynamic Pricing for WooCommerce 4.1.4
The plugin does not contain a CSRF check, potentially allowing an attacker to make a logged-in user perform malicious actions.
Mitigation steps: Update to Advanced Dynamic Pricing for WooCommerce plugin version 4.1.4 or greater.
Rate my Post – WP Rating System — Cross-Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: Requires a privileged user to click a malicious link. Vulnerability: Broken Access Control CVE: CVE-2022-40671 Number of Installations: 20,000+ Affected Software: Rate my Post – WP Rating System <= 3.3.4 Patched Versions: Rate my Post – WP Rating System 3.3.5
The plugin does not contain a CSRF check when settings are updated, potentially allowing an attacker to make a logged-in admin update them via a CSRF attack.
Mitigation steps: Update to Rate my Post – WP Rating System plugin version 3.3.5 or greater.
Passster — Insecure Storage of Password
Security Risk: Medium Exploitation Level: Requires an attacker to have access to the victim’s cookies, such as via XSS or physical access. Vulnerability: Broken Authentication CVE: CVE-2022-3206 Number of Installations: 10,000+ Affected Software: Passster <= 3.5.5.5.1 Patched Versions: Passster 3.5.5.5.2
The plugin encodes passwords using base64 and stores them inside a cookie labeled “passster “, putting user passwords at risk if the cookie is leaked.
Mitigation steps: Update to Passster plugin version 3.5.5.5.2 or greater.
Awesome Support — Multiple Authenticated Stored Cross-Site Scripting (XSS) vulns
Security Risk: Medium Exploitation Level: Requires a custom role within the plugin. Vulnerability: Cross-Site Scripting CVE: CVE-2022-2763 Number of Installations: 10,000+ Affected Software: Awesome Support = 6.0.7 Patched Versions: Awesome Support 6.0.8
The plugin does not properly sanitize and escape some properties, potentially allowing a privileged user to perform stored cross-site scripting attacks.
Mitigation steps: Update to Awesome Support plugin version 6.0.8 or greater.
WP Socializer — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires admin or other high level role authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-2763 Number of Installations: 10,000+ Affected Software: WP Socializer <= 7.2 Patched Versions: WP Socializer 7.3
The plugin does not properly sanitize and escape some settings for its icons, potentially allowing an admin to perform stored cross-site scripting attacks.
Mitigation steps: Update to WP Socializer plugin version 7.3 or greater.
GetResponse — Cross-Site Request Forgery (CSRF) Leading to API Key Update
Security Risk: Medium Exploitation Level: Requires an attacker to send a malicious link to a privileged user. Vulnerability: Broken Access Control CVE: CVE-2022-35277 Number of Installations: 10,000+ Affected Software: GetResponse <= 5.5.20 Patched Versions: GetResponse 5.5.21
The plugin does not contain a CSRF check when the API key is updated, potentially allowing an attacker to make a logged-in admin update it via a CSRF attack.
Mitigation steps: Update to GetResponse plugin version 5.5.21 or greater.
Pop-up — Arbitrary Settings Update via CSRF
Security Risk: Medium Exploitation Level: Requires an attacker to send a malicious link to a privileged user. Vulnerability: Broken Access Control CVE: CVE-2022-38070 Number of Installations: 9,000+ Affected Software: Pop-up <= 1.1.5 Patched Versions: Pop-up <= 1.1.6
The plugin does not contain a CSRF check when settings are updated, potentially allowing an attacker to make a logged-in admin update them via a CSRF attack.
Mitigation steps: Update to Pop-up plugin version 1.1.6 or greater.
Goolytics — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires admin or other high level role authentication. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-3132 Number of Installations: 7,000+ Affected Software: Goolytics <= 1.1.1 Patched Versions: Goolytics <= 1.1.2
Some settings are not properly sanitized and escaped, potentially allowing high privilege users to perform cross-site scripting attacks.
Mitigation steps: Update to Goolytics plugin version 1.1.2 or greater.
Wordfence Security — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires a high privileged role such as admin. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-3144 Number of Installations: 4 million+ Affected Software: Wordfence Security <= 7.6.0 Patched Versions: Wordfence Security 7.6.1
The plugin does not properly sanitize and escape a setting, potentially allowing an admin to perform a stored cross-site scripting attack.
Mitigation steps: Update to Wordfence Security plugin version 7.6.1 or greater.
NinjaForms — Authenticated PHP Objection Injection
Security Risk: Low Exploitation Level: Requires admin or other high level role authentication. Vulnerability: Injection CVE: CVE-2022-36796 Number of Installations: 900,000+ Affected Software: NinjaForms <= 3.6.12 Patched Versions: NinjaForms 3.6.13
The plugin unserializes the contents of imported files, potentially leading to a PHP object injection issue if an admin imports a malicious file.
Mitigation steps: Update to NinjaForm plugin version 3.6.13 or greater.
Post SMTP Mailer/Email Log — Authenticated Blind Server-Side Request Forgery (SSRF)
Security Risk: Low Exploitation Level: Requires admin or other high level role authentication. Vulnerability: Injection CVE: CVE-2022-2352 Number of Installations: 300,000+ Affected Software: Post SMTP Mailer/Email Log <= 2.1.6 Patched Versions: Post SMTP Mailer/Email Log 2.1.7
The plugin does not contain proper authorization in some AJAX actions, potentially allowing admins and other high privilege users to perform bling SSRF attacks.
Mitigation steps: Update to Post SMTP Mailer/Email Log plugin version 2.1.7 or greater.
reSmush.it Image Optimizer — Authenticated Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires admin or other high level role authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-2448 Number of Installations: 200,000+ Affected Software: reSmush.it Image Optimizer <= 0.4.5 Patched Versions: reSmush.it Image Optimizer 0.4.6
The plugin does not properly sanitize and escape some settings, potentially allowing admins and other high privilege users to perform a stored cross-site scripting attack.
Mitigation steps: Update to reSmush.it Image Optimizer plugin version 0.4.6 or greater.
Download Monitor — Authenticated Arbitrary File Download
Security Risk: Low Exploitation Level: Requires admin or other high level role authentication. Vulnerability: Injection CVE: CVE-2022-2981 Number of Installations: 100,000+ Affected Software: Download Monitor <= 4.5.97 Patched Versions: Download Monitor 4.5.98
The plugin does not properly confirm that downloaded files are inside blog folders, potentially allowing a high privilege user to download sensitive files from the website.
Mitigation steps: Update to Download Monitor plugin version 4.5.98 or greater.
Booking Calendar — Translation Update via Cross-Site Request Forgery (CSRF)
Security Risk: Low Exploitation Level: Requires an attacker to send a malicious link to a privileged user. Vulnerability: Broken Access Control CVE: CVE-2022-33177 Number of Installations: 60,000+ Affected Software: Booking Calendar <= 9.2.1 Patched Versions: Booking Calendar 9.2.2
The plugin does not contain CSRF checks when updating a translation, potentially allowing an attacker to make a logged-in user update translations via a CSRF attack.
Mitigation steps: Update to Booking Calendar plugin version 9.2.2 or greater.
Drag and Drop Multiple File Upload — File Upload Size Limit Bypass
Security Risk: Low Exploitation Level: Can be exploited remotely without any authentication. Vulnerability: Broken Access Control CVE: CVE-2022-3282 Number of Installations: 50,000+ Affected Software: Drag and Drop Multiple File Upload <= 1.3.6.4 Patched Versions: Drag and Drop Multiple File Upload 1.3.6.5
Upload size limits set in forms are not properly checked by the plugin and instead take the value from user input on form submit, potentially allowing attackers to control and bypass the limit set by admins.
Mitigation steps: Update to Drag and Drop Multiple File Upload plugin version 1.3.6.5 or greater.
Tutor LMS — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires admin or other high privilege role. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-2563 Number of Installations: 50,000+ Affected Software: Tutor LMS <= 2.0.9 Patched Versions: Tutor LMS 2.0.10
Some course parameters are not properly escaped, potentially allowing high privilege users to perform stored cross-site scripting attacks.
Mitigation steps: Update to Tutor LMS plugin version 2.0.10 or greater.
Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.
Ben Martin
Rianna MacLeod
Denis Sinegubko
Marc-Alexandre Montpas
Antony Garand
Rodrigo Escobar
John Castro
Luke Leal