Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect against known vulnerabilities.
All-In-One Security (AIOS) — Multiple Cross-Site Request Forgery (CSRF)
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Cross-Site Request Forgery (CSRF) CVE: CVE-2022-44737 Number of Installations: 1,000,000+ Affected Software: All-In-One Security <= 5.1.0 Patched Versions: All-In-One Security 5.1.1
Mitigation steps: Update to All-In-One Security (AIOS) plugin version 5.1.1 or greater.
Popup Maker — Authenticated Stored Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires authenticated admin or other high privilege user. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-3690 Number of Installations: 700,000+ Affected Software: Popup Maker <= 1.16.10 Patched Versions: Popup Maker 1.16.11
Some popup options are not properly sanitized and escaped by the plugin, potentially allowing admins and other high privilege users to perform stored cross-site scripting attacks.
Mitigation steps: Update to Popup Maker plugin version 1.16.11 or greater.
Broken Link Checker — Authenticated Cross-Site Scripting
Security Risk: Low Exploitation Level: Requires authenticated admin or other high privilege user. Vulnerability: Cross-Site Scripting (XSS) CVE: CVE-2022-3922 Number of Installations: 700,000+ Affected Software: Broken Link Checker <= 1.11.19 Patched Versions: Broken Link Checker 1.11.20
Some settings are not properly sanitized and escaped by the plugin, potentially allowing high privilege users to perform stored cross-site scripting attacks.
Mitigation steps: Update to Broken Link Checker plugin version 1.11.20 or greater.
Contact Form 7 Database Addon — CSV Injection
Security Risk: Low Exploitation Level: Requires user authentication with export capabilities. Vulnerability: Injection CVE: CVE-2022-3634 Number of Installations: 500,000+ Affected Software: Contact Form 7 Database Addon <= 1.2.6.3 Patched Versions: Contact Form 7 Database Addon 1.2.6.5
Data is not validated by the plugin when outputting it back into a CSV file, potentially leading to CSV injections.
Mitigation steps: Update to Contact Form 7 Database Addon plugin version 1.2.6.5 or greater.
Checkout Field Editor for WooCommerce — PHP Object Injection
Security Risk: Medium Exploitation Level: Requires Admin or other high privilege role authentication. Vulnerability: Injection CVE: CVE-2022-3490 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 1.7.2 Patched Versions: Checkout Field Editor for WooCommerce 1.8.0
Mitigation steps: Update to Checkout Field Editor for WooCommerce plugin version 1.8.0 or greater.
Plugin for Google Reviews — Broken Access Control
Security Risk: Medium Exploitation Level: Requires subscriber or higher authentication. Vulnerability: Broken Access Control CVE: CVE-2022-45369 Number of Installations: 100,000+ Affected Software: Plugin for Google Reviews <= 2.2.2 Patched Versions: Plugin for Google Reviews 2.2.4
Mitigation steps: Update to Plugin for Google Reviews plugin version 2.2.4 or greater.
Chaty — SQLi
Security Risk: Medium Exploitation Level: Requires admin or other high privilege user authentication. Vulnerability: Injection CVE: CVE-2022-3858 Number of Installations: 100,000+ Affected Software: Chaty Patched Versions: Chaty 3.0.3
A parameter is not properly escaped and sanitized prior to use in SQL statements, potentially leading to SQL injections.
Mitigation steps: Update to Chaty plugin version 3.0.3 or greater.
Web Stories — Server-Side Request Forgery (SSRF)
Security Risk: High Exploitation Level: Requires subscriber or higher authentication. Vulnerability: Injection CVE: CVE-2022-3708 Number of Installations: 100,000+ Affected Software: Web Stories <= 1.24.0 Patched Versions: Web Stories 1.25.0
Insufficient validation of URLs by the plugin makes it possible for authenticated users to make requests, query, and modify information.
Mitigation steps: Update to Web Stories plugin version 1.25.0 or greater.
Crowdsignal Dashboard — Privilege Escalation
Security Risk: Medium Exploitation Level: Requires contributor or higher authentication. Vulnerability: Privilege Escalation CVE: CVE-2022-45069 Number of Installations: 90,000+ Affected Software: Crowdsignal Dashboard <= 3.0.9 Patched Versions: Crowdsignal Dashboard 3.1.10
A missing permissions check makes it possible for contributors and higher to access and change sitewide rating settings.
Mitigation steps: Update to Crowdsignal Dashboard plugin version 3.0.10 or greater.
Blog2Social — Missing Authorization
Security Risk: Medium Exploitation Level: Requires subscriber or other high authentication role. Vulnerability: Broken Access Control CVE: CVE-2022-3622 Number of Installations: 70,000+ Affected Software: Blog2Social <= 6.9.11 Patched Versions: Blog2Social 6.9.12
A missing authorization check can potentially allow authenticated attackers to change plugin settings.
Mitigation steps: Update to Blog2Social plugin version 6.9.12 or greater.
Advanced Import — Arbitrary Plugin Installation & Activation via CSRF
Security Risk: Medium Exploitation Level: Requires admin or other high privilege role authentication. Vulnerability: Broken Authentication and Session Management CVE: CVE-2022-3677 Number of Installations: 70,000+ Affected Software: Advanced Import <= 1.3.7 Patched Versions: Advanced Import 1.3.8
A CSRF check is not performed when installing and activating plugins, potentially allowing an authenticated admin attacker to install and activate arbitrary plugins.
Mitigation steps: Update to Advanced Import plugin version 1.3.8 or greater.
Permalink Manager Lite — Settings Update via CSRF
Security Risk: Medium Exploitation Level: No authentication required. Vulnerability: Broken Authentication and Session Management CVE: CVE-2022-4021 Number of Installations: 60,000+ Affected Software: Permalink Manager Lite <= 2.2.20.1 Patched Versions: Permalink Manager Lite 2.2.20.2
A CSRF check is not in place when plugin settings are updated, potentially allowing an attacker to change them via CSRF.
Mitigation steps: Update to Permalink Manager Lite plugin version 2.2.20.2 or greater.
WP Admin UI Customize — Stored Cross-Site Scripting (XSS)
Security Risk: Low Exploitation Level: Requires admin or other high privilege authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-3824 Number of Installations: 40,000+ Affected Software: WP Admin UI Customize <= 1.5.12 Patched Versions: WP Admin UI Customize 1.5.13
Settings are not properly escaped and sanitized by the plugin, potentially allowing an attacker with high privilege authentication to perform stored cross-site scripting attacks.
Mitigation steps: Update to WP Admin UI Customize plugin version 1.5.13 or greater.
Beautiful Cookie Consent Banner — Stored Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires admin or other high privilege user authentication. Vulnerability: Cross-Site Scripting CVE: CVE-2022-3823 Number of Installations: 40,000+ Affected Software: Beautiful Cookie Consent Banner <= 2.9.0 Patched Versions: Beautiful Cookie Consent Banner 2.9.1
Settings are not properly escaped and sanitized, potentially allowing an attacker with high privilege authentication to perform a stored cross-site scripting attack.
Mitigation steps: Update to Beautiful Cookie Consent Banner plugin version 2.9.1 or greater.
Easy Video Player — Stored Cross-Site Scripting (XSS)
Security Risk: Medium Exploitation Level: Requires contributor or higher level authentication. Vulnerability: Cross-site Scripting (XSS) CVE: CVE-2022-3937 Number of Installations: 40,000+ Affected Software: Easy Video Player <= 1.2.2.2 Patched Versions: Easy Video Player 1.2.2.3
Parameters are not properly escaped and sanitized by the plugin, potentially allowing contributor users or higher to perform cross-site scripting attacks.
Mitigation steps: Update to Easy Video Player plugin version 1.2.2.3 or greater.
Users who are not able to update their software with the latest version are encouraged to use a web application firewall to virtually patch these vulnerabilities and protect their website.