WordPress Vulnerability & Patch Roundup September 2022

WordPress Vulnerability & Patch Roundup — September 2022

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.


Contact Form by WPForms — Authenticated Arbitrary File Access

Security Risk: Medium
Exploitation Level: Requires admin or other high level authentication.
Vulnerability: Injection
CVE: CWE-22
Number of Installations: 5+ million
Affected Software: Contact Form by WPForms <= 1.7.5.3
Patched Versions: Contact Form by WPForms 1.7.5.5

The plugin does not properly validate the email template path, potentially allowing admins or other high privilege users to access files on the web server.

Mitigation steps: Update to Contact Form by WPForms plugin version 1.7.5.5 or greater.


WordPress All in One SEO — Multiple Cross-Site Request Forgeries (CSRF’s)

Security Risk: Medium
Exploitation Level: Requires an attacker to send a malicious link to a privileged user.
Vulnerability: Cross Site Request Forgery
CVE: CVE-2022-38093
Number of Installations: 3+ million
Affected Software: WordPress All in One SEO plugin <= 4.2.3.1
Patched Versions: WordPress All in One SEO plugin 4.2.4

The plugin does not contain CSRF checks in a number of places, potentially allowing an attacker to make a logged-in user perform actions via a CSRF attack.

Mitigation steps: Update to WordPress All in One SEO plugin plugin version 4.2.4 or greater.


WordPress SVG Support — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires an author role or higher authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2022-1755
Number of Installations: 1 million+
Affected Software: WordPress SVG Support <= 2.4.2
Patched Versions: WordPress SVG Support 2.5

The plugin does not properly handle adding SVG images to posts, potentially allowing an attacker with author role or higher to perform a cross-site scripting attack.

Mitigation steps: Update to WordPress SVG Support plugin version 2.5 or greater.


Activity Log — CSV Injection

Security Risk: Medium
Exploitation Level: Can be exploited remotely without any authentication. Requires a privileged user to export the logs and open them in a spreadsheet application.
Vulnerability: CSV Injection
CVE: CVE-2022-27858
Number of Installations: 200,000+
Affected Software: Activity Log <= 2.8.3
Patched Versions: Activity Log 2.8.4

The plugin fails to sanitize the content of the activity log. When an admin exports an activity log in which an attacker has injected a malicious payload in a modern spreadsheet app, an attacker can execute some malicious formulas and exfiltrate information from the site administrator.

Mitigation steps: Update to Activity Log plugin version 2.8.4 or greater.


Booster for WooCommerce — Arbitrary Order Status Update

Security Risk: Medium
Exploitation Level: Requires customer role authentication.
Vulnerability: Broken Access Control
CVE: CVE-2022-3227
Number of Installations: 60,000+
Affected Software:  Booster for WooCommerce <= 5.6.2
Patched Versions: Booster for WooCommerce 5.6.3

The plugin does not ensure that the status set is allowed, potentially allowing users to set arbitrary statuses to their own orders and mark them as paid when payment has not been fulfilled.

Mitigation steps: Update to Booster for WooCommerce plugin version 5.6.3 or greater.


WordPress SearchWP Live Ajax Search — Unauthenticated Local File Inclusion (LFI)

Security Risk: Medium
Exploitation Level: Can be exploited remotely without any authentication.
Vulnerability: Injection
CVE: CVE-2022-3227
Number of Installations: 60,000+
Affected Software:  SearchWP Live Ajax Search <= 1.6.2
Patched Versions: SearchWP Live Ajax Search 1.6.3

The plugin does not validate a parameter in an AJAX action, potentially allowing an unauthenticated attack to perform a local file inclusion attack.

Mitigation steps: Update to SearchWP Live Ajax Search plugin version 1.6.3 or greater.


Customer Reviews for WooCommerce — Sensitive Information Disclosure

Security Risk: Medium
Exploitation Level: Can be exploited remotely without any authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2022-40194
Number of Installations: 50,000+
Affected Software:  Customer Reviews for WooCommerce <= 5.3.5
Patched Versions: Customer Reviews for WooCommerce 5.3.6

The manipulation of an unknown input leads to information disclosure vulnerability.

Mitigation steps: Update to Customer Reviews for WooCommerce plugin version 5.3.6 or greater.


Import all XML, CSV & TXT — Authenticated SQL Injection (SQLi)

Security Risk: Low
Exploitation Level: Requires admin or other high level authentication.
Vulnerability: Injection
CVE: CVE-2022-3243
Number of Installations: 20,000+
Affected Software:  Import all XML, CSV & TXT <= 6.5.7
Patched Versions: Import all XML, CSV & TXT <= 6.5.8

Due to the fact that the plugin does not properly sanitize and escape imported data prior to being used in SQL statements, admins and other high privilege user roles are able to exploit leading to SQL injection.

Mitigation steps: Update to Import all XML, CSV & TXT plugin version 6.5.8 or greater.


Top Bar — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires admin or other high level authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2022-2629
Number of Installations: 20,000+
Affected Software:  Top Bar <= 3.0.3
Patched Versions: Top Bar 3.0.4

The plugin does not properly escape and sanitize settings prior to outputting them into pages, potentially allowing admins and other high privilege users to perform stored cross-site scripting attacks.

Mitigation steps: Update to Top Bar plugin version 3.0.4 or greater.


CallRail Phone Call Tracking — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires a privileged user to click a malicious link.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2022-36796
Number of Installations: 20,000+
Affected Software:  CallRail Phone Call Tracking <=0.4.9
Patched Versions: CallRail Phone Call Tracking 0.4.10

The plugin does not contain a CSRF check and lacks proper sanitization and escaping in some parameters, potentially allowing an attacker to make a logged-in admin place and execute cross-site scripting (XSS) payloads.

Mitigation steps: Update to CallRail Phone Call Tracking plugin version 0.4.10 or greater.


wpForo Forum — Cross-Site Request Forgery (CSRF)

Security Risk: Medium
Exploitation Level: Requires a privileged user to click a malicious link.
Vulnerability: Broken Access Control
CVE: CVE-2022-38144
Number of Installations: 20,000+
Affected Software:  wpForo Forum <= 2.0.5
Patched Versions: wpForo Forum 2.0.6

The plugin does not contain a CSRF check, potentially allowing an attacker to make a logged-in user perform malicious actions.

Mitigation steps: Update to wpForo Forum plugin version 2.0.6 or greater.


Advanced Dynamic Pricing for WooCommerce — Cross-Site Request Forgery (CSRF)

Security Risk: Medium
Exploitation Level: Requires a privileged user to click a malicious link.
Vulnerability: Broken Access Control
CVE: CVE-2022-38095
Number of Installations: 20,000+
Affected Software:  Advanced Dynamic Pricing for WooCommerce <= 4.1.3
Patched Versions: Advanced Dynamic Pricing for WooCommerce 4.1.4

The plugin does not contain a CSRF check, potentially allowing an attacker to make a logged-in user perform malicious actions.

Mitigation steps: Update to Advanced Dynamic Pricing for WooCommerce plugin version 4.1.4 or greater.


Rate my Post – WP Rating System — Cross-Site Request Forgery (CSRF)

Security Risk: Medium
Exploitation Level: Requires a privileged user to click a malicious link.
Vulnerability: Broken Access Control
CVE: CVE-2022-40671
Number of Installations: 20,000+
Affected Software: Rate my Post – WP Rating System <= 3.3.4
Patched Versions: Rate my Post – WP Rating System 3.3.5

The plugin does not contain a CSRF check when settings are updated, potentially allowing an attacker to make a logged-in admin update them via a CSRF attack.

Mitigation steps: Update to Rate my Post – WP Rating System plugin version 3.3.5 or greater.


Passster — Insecure Storage of Password

Security Risk: Medium
Exploitation Level: Requires an attacker to have access to the victim’s cookies, such as via XSS or physical access.
Vulnerability: Broken Authentication
CVE: CVE-2022-3206
Number of Installations: 10,000+
Affected Software: Passster <= 3.5.5.5.1
Patched Versions: Passster 3.5.5.5.2

The plugin encodes passwords using base64 and stores them inside a cookie labeled passster “, putting user passwords at risk if the cookie is leaked.

Mitigation steps: Update to Passster plugin version 3.5.5.5.2 or greater.


Awesome Support — Multiple Authenticated Stored Cross-Site Scripting (XSS) vulns

Security Risk: Medium
Exploitation Level: Requires a custom role within the plugin.
Vulnerability: Cross-Site Scripting
CVE: CVE-2022-2763
Number of Installations: 10,000+
Affected Software: Awesome Support = 6.0.7
Patched Versions: Awesome Support 6.0.8

The plugin does not properly sanitize and escape some properties, potentially allowing a privileged user to perform stored cross-site scripting attacks.

Mitigation steps: Update to Awesome Support plugin version 6.0.8 or greater.


WP Socializer — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires admin or other high level role authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2022-2763
Number of Installations: 10,000+
Affected Software: WP Socializer <= 7.2
Patched Versions: WP Socializer 7.3

The plugin does not properly sanitize and escape some settings for its icons, potentially allowing an admin to perform stored cross-site scripting attacks.

Mitigation steps: Update to WP Socializer plugin version 7.3 or greater.


GetResponse — Cross-Site Request Forgery (CSRF) Leading to API Key Update

Security Risk: Medium
Exploitation Level: Requires an attacker to send a malicious link to a privileged user.
Vulnerability: Broken Access Control
CVE: CVE-2022-35277
Number of Installations: 10,000+
Affected Software: GetResponse <= 5.5.20
Patched Versions: GetResponse 5.5.21

The plugin does not contain a CSRF check when the API key is updated, potentially allowing an attacker to make a logged-in admin update it via a CSRF attack.

Mitigation steps: Update to GetResponse plugin version 5.5.21 or greater.


Pop-up — Arbitrary Settings Update via CSRF

Security Risk: Medium
Exploitation Level: Requires an attacker to send a malicious link to a privileged user.
Vulnerability: Broken Access Control
CVE: CVE-2022-38070
Number of Installations: 9,000+
Affected Software: Pop-up <= 1.1.5
Patched Versions: Pop-up <= 1.1.6

The plugin does not contain a CSRF check when settings are updated, potentially allowing an attacker to make a logged-in admin update them via a CSRF attack.

Mitigation steps: Update to Pop-up plugin version 1.1.6 or greater.


Goolytics — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires admin or other high level role authentication.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2022-3132
Number of Installations: 7,000+
Affected Software: Goolytics <= 1.1.1
Patched Versions: Goolytics <= 1.1.2

Some settings are not properly sanitized and escaped, potentially allowing high privilege users to perform cross-site scripting attacks.

Mitigation steps: Update to Goolytics plugin version 1.1.2 or greater.


Wordfence Security — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires a high privileged role such as admin.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2022-3144
Number of Installations: 4 million+
Affected Software: Wordfence Security <= 7.6.0
Patched Versions: Wordfence Security 7.6.1

The plugin does not properly sanitize and escape a setting, potentially allowing an admin to perform a stored cross-site scripting attack.

Mitigation steps: Update to Wordfence Security plugin version 7.6.1 or greater.


NinjaForms — Authenticated PHP Objection Injection

Security Risk: Low
Exploitation Level: Requires admin or other high level role authentication.
Vulnerability: Injection
CVE: CVE-2022-36796
Number of Installations: 900,000+
Affected Software:  NinjaForms <= 3.6.12
Patched Versions: NinjaForms 3.6.13

The plugin unserializes the contents of imported files, potentially leading to a PHP object injection issue if an admin imports a malicious file.

Mitigation steps: Update to NinjaForm plugin version 3.6.13 or greater.


Post SMTP Mailer/Email Log — Authenticated Blind Server-Side Request Forgery (SSRF)

Security Risk: Low
Exploitation Level: Requires admin or other high level role authentication.
Vulnerability: Injection
CVE: CVE-2022-2352
Number of Installations: 300,000+
Affected Software:  Post SMTP Mailer/Email Log <= 2.1.6
Patched Versions: Post SMTP Mailer/Email Log 2.1.7

The plugin does not contain proper authorization in some AJAX actions, potentially allowing admins and other high privilege users to perform bling SSRF attacks.

Mitigation steps: Update to Post SMTP Mailer/Email Log plugin version 2.1.7 or greater.


reSmush.it Image Optimizer — Authenticated Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires admin or other high level role authentication.
Vulnerability: Cross-Site Scripting
CVE: CVE-2022-2448
Number of Installations: 200,000+
Affected Software:  reSmush.it Image Optimizer <= 0.4.5
Patched Versions: reSmush.it Image Optimizer 0.4.6

The plugin does not properly sanitize and escape some settings, potentially allowing admins and other high privilege users to perform a stored cross-site scripting attack.

Mitigation steps: Update to reSmush.it Image Optimizer plugin version 0.4.6 or greater.


Download Monitor — Authenticated Arbitrary File Download

Security Risk: Low
Exploitation Level: Requires admin or other high level role authentication.
Vulnerability: Injection
CVE: CVE-2022-2981
Number of Installations: 100,000+
Affected Software:  Download Monitor <= 4.5.97
Patched Versions: Download Monitor 4.5.98

The plugin does not properly confirm that downloaded files are inside blog folders, potentially allowing a high privilege user to download sensitive files from the website.

Mitigation steps: Update to Download Monitor plugin version 4.5.98 or greater.


Booking Calendar — Translation Update via Cross-Site Request Forgery (CSRF)

Security Risk: Low
Exploitation Level: Requires an attacker to send a malicious link to a privileged user.
Vulnerability: Broken Access Control
CVE: CVE-2022-33177
Number of Installations: 60,000+
Affected Software:  Booking Calendar <= 9.2.1
Patched Versions: Booking Calendar 9.2.2

The plugin does not contain CSRF checks when updating a translation, potentially allowing an attacker to make a logged-in user update translations via a CSRF attack.

Mitigation steps: Update to Booking Calendar plugin version 9.2.2 or greater.


Drag and Drop Multiple File Upload — File Upload Size Limit Bypass

Security Risk: Low
Exploitation Level: Can be exploited remotely without any authentication.
Vulnerability: Broken Access Control
CVE: CVE-2022-3282
Number of Installations: 50,000+
Affected Software: Drag and Drop Multiple File Upload <= 1.3.6.4
Patched Versions: Drag and Drop Multiple File Upload 1.3.6.5

Upload size limits set in forms are not properly checked by the plugin and instead take the value from user input on form submit, potentially allowing attackers to control and bypass the limit set by admins.

Mitigation steps: Update to Drag and Drop Multiple File Upload plugin version 1.3.6.5 or greater.


Tutor LMS — Authenticated Stored Cross-Site Scripting (XSS)

Security Risk: Low
Exploitation Level: Requires admin or other high privilege role.
Vulnerability: Cross-Site Scripting (XSS)
CVE: CVE-2022-2563
Number of Installations: 50,000+
Affected Software:  Tutor LMS <= 2.0.9
Patched Versions: Tutor LMS 2.0.10

Some course parameters are not properly escaped, potentially allowing high privilege users to perform stored cross-site scripting attacks.

Mitigation steps: Update to Tutor LMS plugin version 2.0.10 or greater.

Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.
You May Also Like