Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
Autoptimize — Sensitive Data Exposure
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Sensitive Data Exposure CVE: CVE-2022-4057 Number of Installations: 1,000,000+ Affected Software: Autoptimize <=3.0.4 Patched Versions: Autoptimize 3.1.0
Easily guessable paths are used to store the plugin’s exported settings and logs, potentially allowing a bad actor to gain unauthorized access to sensitive information.
Mitigation steps: Update to Autoptimize plugin version 3.1.0 or greater.
Loginizer — Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2022-45084 Number of Installations: 1,000,000+ Affected Software: Loginizer <= 1.7.5 Patched Versions: Loginizer 1.7.6
A parameter is not properly sanitized and escaped, potentially leading to malicious script injections and cross-site scripting attacks.
Mitigation steps: Update to Loginizer plugin version 1.7.6 or greater.
YITH WooCommerce Wishlist — Cross Site Request Forgery
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 900,000+ Affected Software: YITH WooCommerce Wishlist <= 3.14.0 Patched Versions: YITH WooCommerce Wishlist 3.15.0
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH WooCommerce Wishlist plugin version 3.15.0 or greater.
Table of Contents Plus — Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires contributor level or higher. Vulnerability: Cross-Site Scripting CVE: CVE-2022-4479 Number of Installations: 300,000+ Affected Software: Table of Contents Plus < 2212 Patched Versions: Table of Contents Plus 2212
Some shortcode attributes are not properly validated and escaped by the plugin, potentially allowing an attacker with contributor role or higher to perform stored cross-site scripting attacks.
Mitigation steps: Update to Table of Contents Plus plugin version 2212 or greater.
ProfilePress — Cross Site Scripting
Security Risk: Medium Exploitation Level: Requires admin or other high level authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-4697 Number of Installations: 300,000+ Affected Software: ProfilePress <= 4.5.0 Patched Versions: ProfilePress 4.5.1
The plugin does not properly sanitize inputs or escape outputs in a parameter, potentially allowing an authenticated bad actor to perform cross site scripting attacks.
Mitigation steps: Update to ProfilePress plugin version 4.5.1 or greater.
YITH WooCommerce Compare — Cross Site Request Forgery
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 200,000+ Affected Software: YITH WooCommerce Compare <= 2.20.0 Patched Versions: YITH WooCommerce Compare 2.20.1
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH WooCommerce Compare plugin version 2.20.1 or greater.
Slimstat Analytics — Unauthenticated Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross Site Scripting CVE: CVE-2022-4310 Number of Installations: 100,000+ Affected Software: Slimstat Analytics <= 4.9.2 Patched Versions: Slimstat Analytics 4.9.3
Mitigation steps: Update to Slimstat Analytics plugin version 4.9.3 or greater.
YITH WooCommerce Quick View — Cross Site Request Forgery
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 100,000+ Affected Software: YITH WooCommerce Quick View <= 1.21.0 Patched Versions: YITH WooCommerce Quick View 1.21.1
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH WooCommerce Quick View plugin version 1.21.1 or greater.
Download Manager — Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires contributor or higher authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-4476 Number of Installations: 100,000+ Affected Software: Download Manager <= 3.2.61 Patched Versions: Download Manager 3.2.62
Some shortcode attributes are not properly validated and escaped by the plugin, potentially allowing an attacker with contributor role or higher to perform stored cross-site scripting attacks.
Mitigation steps: Update to Download Manager plugin version 3.2.62 or greater.
Smash Balloon Social Post Feed — Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires contributor or higher authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-4477 Number of Installations: 100,000+ Affected Software: Smash Balloon Social Post Feed <= 4.1.5 Patched Versions: Smash Balloon Social Post Feed 4.1.6
Some shortcode attributes are not properly validated and escaped by the plugin, potentially allowing an attacker with contributor role or higher to perform stored cross-site scripting attacks.
Mitigation steps: Update to Smash Balloon Social Post Feed plugin version 4.1.6 or greater.
Mesmerize Companion — Stored Cross-Site Scripting
Security Risk: Medium Exploitation Level: Requires contributor or higher authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-4481 Number of Installations: 100,000+ Affected Software: Mesmerize Companion <= 1.6.134 Patched Versions: Mesmerize Companion 1.6.135
Some shortcode attributes are not properly validated and escaped by the plugin, potentially allowing an attacker with contributor role or higher to perform stored cross-site scripting attacks.
Mitigation steps: Update to Mesmerize Companion plugin version 1.6.135 or greater.
YITH WooCommerce Catalog Mode — Cross Site Request Forgery
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 60,000+ Affected Software: YITH WooCommerce Catalog Mode <= 2.16.0 Patched Versions: YITH WooCommerce Catalog Mode 2.16.1
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH WooCommerce Catalog Mode plugin version 2.16.1 or greater.
Afterpay Gateway for WooCommerce — Reflected Cross-Site Scripting
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2022-29416 Number of Installations: 10,000+ Affected Software: Afterpay Gateway for WooCommerce <= 3.5.0 Patched Versions: Afterpay Gateway for WooCommerce 3.5.1
A parameter is not properly sanitized and escaped before being outputted back into the page, which can potentially lead to a reflected cross-site scripting attack.
Mitigation steps: Update to Afterpay Gateway for WooCommerce plugin version 3.5.1 or greater.
YITH WooCommerce Order & Shipment Tracking — CSRF
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 10,000+ Affected Software: YITH WooCommerce Order & Shipment Tracking <= 2.7.0 Patched Versions: YITH WooCommerce Order & Shipment Tracking 2.8.0
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH WooCommerce Order & Shipment Tracking plugin version 2.8.0 or greater.
YITH Essential Kit for WooCommerce #1 — CSRF
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 10,000+ Affected Software: YITH Essential Kit for WooCommerce #1 <= 2.13.0 Patched Versions: YITH Essential Kit for WooCommerce #1 2.14.0
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH Essential Kit for WooCommerce #1 plugin version 2.14.0 or greater.
YITH Infinite Scrolling — Cross Site Request Forgery
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Access Control CVE: CVE-2022-44630 Number of Installations: 10,000+ Affected Software: YITH Infinite Scrolling <= 1.7.0 Patched Versions: YITH Infinite Scrolling 1.8.0
A CSRF vulnerability in the plugin can potentially allow a bad actor to force admins or other high privilege users into executing unwanted actions.
Mitigation steps: Update to YITH Infinite Scrolling plugin version or greater.
GD bbPress Attachments — Stored Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires admin or other high privilege authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-45816 Number of Installations: 8,000+ Affected Software: GD bbPress Attachments <= 4.3 Patched Versions: GD bbPress Attachments 4.4
Some settings are not properly escaped and sanitized, potentially allowing an admin or other high privilege user to perform stored cross-site scripting attacks.
Mitigation steps: Update to GD bbPress Attachments plugin version 4.4 or greater.
Chained Quiz — Multiple Reflected Cross-Site Scripting
Security Risk: Low Exploitation Level: No authentication required. Vulnerability: Cross-Site Scripting CVE: CVE-2022-4208 CVE-2022-4209 CVE-2022-4210 CVE-2022-4211 CVE-2022-4212 Number of Installations: 2,000+ Affected Software: Chained Quiz <= 1.3.2.2 Patched Versions: Chained Quiz <= 1.3.2.3
The datef, pointsf, ipf, email and dnf parameters are not properly sanitized and escaped by the plugin, potentially leading to reflected cross-site scripting attacks.
Mitigation steps: Update to Chained Quiz plugin version 1.3.2.3 or greater.
Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.
Gerson Ruiz
Rianna MacLeod
Ashley Sand
Denis Sinegubko
Sucuri Malware Research Team
Marc-Alexandre Montpas
Ben Martin
John Castro
