Vulnerability Advisories Continued

Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.

**This page is no longer maintained, please visit Wordfence Intelligence Community Edition for the latest Information on Vulnerabilities.** 


Chained Quiz <= 1.3.2.2 – Authenticated (Admin+) Stored Cross-Site Scripting via Mailchimp API Key

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4217
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.3
Recommended Remediation: Update to version 1.3.2.3, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api_key’ parameter in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


Chained Quiz <= 1.3.2.2 – Authenticated (Admin+) Stored Cross-Site Scripting via Facebook App ID

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4216
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.3
Recommended Remediation: Update to version 1.3.2.3, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘facebook_appid’ parameter in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


Chained Quiz <= 1.3.2 – Reflected Cross-Site Scripting via datef

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4208
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.1
Recommended Remediation: Update to version 1.3.2.1, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘datef’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2 – Reflected Cross-Site Scripting via pointsf

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4209
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.1
Recommended Remediation: Update to version 1.3.2.1, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pointsf’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2 – Reflected Cross-Site Scripting via dnf

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4210
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.1
Recommended Remediation: Update to version 1.3.2.1, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dnf’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2 – Reflected Cross-Site Scripting via emailf

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4211
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.1
Recommended Remediation: Update to version 1.3.2.1, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ’emailf’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2 – Reflected Cross-Site Scripting via ipf

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2
CVE ID: CVE-2022-4212
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.1
Recommended Remediation: Update to version 1.3.2.1, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ipf’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2.2 – Reflected Cross-Site Scripting via dn

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2.2
CVE ID: CVE-2022-4213
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.3
Recommended Remediation: Update to version 1.3.2.3, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2.3 – Reflected Cross-Site Scripting via ip

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2.3
CVE ID: CVE-2022-4214
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.4
Recommended Remediation: Update to version 1.3.2.4, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ip’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2.3 – Reflected Cross-Site Scripting via date

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2.3
CVE ID: CVE-2022-4215
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.4
Recommended Remediation: Update to version 1.3.2.4, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘date’ parameter on the ‘chainedquiz_list’ page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2.4 – Cross-Site Request Forgery to Question Deletion

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2.4
CVE ID: CVE-2022-4220
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.5
Recommended Remediation: Update to version 1.3.2.5, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2.4 – Cross-Site Request Forgery to Submitted Response Deletion

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2.4
CVE ID: CVE-2022-4219
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.5
Recommended Remediation: Update to version 1.3.2.5, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the manage() function. This makes it possible for unauthenticated attackers to delete submitted quiz responses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


Chained Quiz <= 1.3.2.4 – Cross-Site Request Forgery to Arbitrary Quiz Deletion and Copying

Affected Plugin: Chained Quiz
Plugin Slug: chained-quiz
Affected Versions: <= 1.3.2.4
CVE ID: CVE-2022-4218
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 1.3.2.5
Recommended Remediation: Update to version 1.3.2.5, or newer patched version.
Publication Date: 2022-12-02

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_quizzes() function. This makes it possible for unauthenticated attackers to delete quizzes and copy quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


Appointment Hour Booking <= 1.3.72 – CAPTCHA Bypass

Affected Plugin: Appointment Hour Booking
Plugin Slug: appointment-hour-booking
Affected Versions: <= 1.3.72
CVE ID: CVE-2022-4036
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 1.3.73
Recommended Remediation: Update to version 1.3.73, or newer patched version.
Publication Date: 2022-11-29

The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.


Appointment Hour Booking <= 1.3.72 – Unauthenticated iFrame Injection via Appointment Form

Affected Plugin: Appointment Hour Booking
Plugin Slug: appointment-hour-booking
Affected Versions: <= 1.3.72
CVE ID: CVE-2022-4035
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 1.3.73
Recommended Remediation: Update to version 1.3.73, or newer patched version.
Publication Date: 2022-11-29

The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page.


Appointment Hour Booking <= 1.3.72 – CSV Injection

Affected Plugin: Appointment Hour Booking
Plugin Slug: appointment-hour-booking
Affected Versions: <= 1.3.72
CVE ID: CVE-2022-4034
CVSS Score: 5.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 1.3.73
Recommended Remediation: Update to version 1.3.73, or newer patched version.
Publication Date: 2022-11-29

The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site’s administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.


Quiz and Survey Master <= 8.0.4 – Improper Input Validation

Affected Plugin: Quiz and Survey Master
Plugin Slug: quiz-master-next
Affected Versions: <= 8.0.4
CVE ID: CVE-2022-4033
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 8.0.5
Recommended Remediation: Update to version 8.0.5, or newer patched version.
Publication Date: 2022-11-29

The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the ‘question[id]’ parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.


Quiz and Survey Master <= 8.0.4 – Unauthenticated iFrame Injection via Paragraph and Short Answer

Affected Plugin: Quiz and Survey Master
Plugin Slug: quiz-master-next
Affected Versions: <= 8.0.4
CVE ID: CVE-2022-4032
CVSS Score: 7.2 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 8.0.5
Recommended Remediation: Update to version 8.0.5, or newer patched version.
Publication Date: 2022-11-29

The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the ‘question[id]’ parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.


Simple:Press <= 6.8 – Authenticated (Admin+) Path Traversal to Arbitrary File Modification

Affected Plugin: Simple:Press
Plugin Slug: simplepress
Affected Versions: <= 6.8
CVE ID: CVE-2022-4031
CVSS Score: 3.1 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 6.8.1
Recommended Remediation: Update to version 6.8.1, or newer patched version.
Publication Date: 2022-11-29

The Simple:Press plugin for WordPress is vulnerable to arbitrary file modifications in versions up to, and including, 6.8 via the ‘file’ parameter which does not properly restrict files to be edited in the context of the plugin. This makes it possible with attackers, with high-level permissions such as an administrator, to supply paths to arbitrary files on the server that can be modified outside of the intended scope of the plugin.


Simple:Press <= 6.8 – Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion

Affected Plugin: Simple:Press
Plugin Slug: simplepress
Affected Versions: <= 6.8
CVE ID: CVE-2022-4030
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 6.8.1
Recommended Remediation: Update to version 6.8.1, or newer patched version.
Publication Date: 2022-11-29

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the ‘file’ parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code execution.


Simple:Press <= 6.8 – Reflected Cross-Site Scripting via Cookie Value

Affected Plugin: Simple:Press
Plugin Slug: simplepress
Affected Versions: <= 6.8
CVE ID: CVE-2022-4029
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 6.8.1
Recommended Remediation: Update to version 6.8.1, or newer patched version.
Publication Date: 2022-11-29

The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘sforum_[md5 hash of the WordPress URL]’ cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This would be highly complex to exploit as it would require the attacker to set the cookie a cookie for the targeted user.


Simple:Press <= 6.8 – Authenticated Stored Cross-Site Scripting via Profile Signatures

Affected Plugin: Simple:Press
Plugin Slug: simplepress
Affected Versions: <= 6.8
CVE ID: CVE-2022-4028
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 6.8.1
Recommended Remediation: Update to version 6.8.1, or newer patched version.
Publication Date: 2022-11-29

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘postitem’ parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to inject arbitrary web scripts in pages when modifying a profile signature that will execute whenever a user accesses an injected page.


Simple:Press <= 6.8 – Unauthenticated Stored Cross-Site Scripting via Forum Replies

Affected Plugin: Simple:Press
Plugin Slug: simplepress
Affected Versions: <= 6.8
CVE ID: CVE-2022-4027
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Luca Greeb, Andreas Krüger
Fully Patched Version: 6.8.1
Recommended Remediation: Update to version 6.8.1, or newer patched version.
Publication Date: 2022-11-29

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘postitem’ parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page.


Theme and plugin translation for Polylang <= 3.2.16 – Missing Authorization

Affected Plugin: Theme and plugin translation for Polylang
Theme Plugin: theme-translation-for-polylang
Affected Versions: <= 3.2.16
CVE ID: CVE-2022-4169
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Researcher/s: Florent BESNARD
Fully Patched Version: 3.2.17
Recommended Remediation: Update to version 3.2.17, or newer patched version.
Publication Date: 2022-11-28

The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.


Betheme <= 26.5.1.4 – Authenticated (Contributor+) PHP Object Injection

Affected Theme: Betheme
Theme Slug: betheme
Affected Versions: <= 26.1.4
CVE ID: CVE-2022-3861
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Julien Ahrens
Fully Patched Version: 26.6
Recommended Remediation: Update to version 26.6, or newer patched version.
Publication Date: 2022-11-21

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..


SVG Support 2.5  – 2.5.1 – Insecure Plugin Defaults to Cross-Site Scripting

Affected Plugin: SVG Support
Plugin Slug: svg-support
Affected Versions: 2.5 – 2.5.1
CVE ID: CVE-2022-4022
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 2.5.2
Recommended Remediation: Update to version 2.5.2, or newer patched version.
Publication Date: 2022-11-16

The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SVG upload to only administrators. This allows authenticated attackers, with author-level privileges and higher, to upload malicious SVG files that can be embedded in posts and pages by higher privileged users. Additionally, the embedded JavaScript is also triggered on visiting the image URL, which allows an attacker to execute malicious code in browsers visiting that URL.


Permalink Manager Lite <= 2.2.20.1 – Cross-Site Request Forgery

Affected Plugin: Permalink Manager Lite
Plugin Slug: permalink-manager
Affected Versions: <= 2.2.20.1
CVE ID: CVE-2022-4021
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka
Fully Patched Version: 2.2.20.2
Recommended Remediation: Update to version 2.2.20.2, or newer patched version.
Publication Date: 2022-11-16

The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extra_actions function. This makes it possible for unauthenticated attackers to change plugin settings including permalinks and site maps, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.


TeraWallet – For WooCommerce <= 1.4.3 – Insecure Direct Object Reference

Affected Plugin: TeraWallet – For WooCommerce
Plugin Slug: woo-wallet
Affected Versions: <= 1.4.3
CVE ID: CVE-2022-3995
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 1.4.4
Recommended Remediation: Update to version 1.4.4, or newer patched version.
Publication Date: 2022-11-14

The TeraWallet plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.4.3. This is due to insufficient validation of the user-controlled key on the lock_unlock_terawallet AJAX action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to lock/unlock other users wallets.


Photospace Gallery <= 2.3.5 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Plugin: Photospace Gallery
Plugin Slug: photospace
Affected Versions: <= 2.3.5
CVE ID: CVE-2022-3991
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: Unpatched.
Recommended Remediation: Uninstall plugin from site until patched version available.
Publication Date: 2022-11-14

The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


Transposh WordPress Translation <= 1.0.8.1 – Authorization Bypass

Affected Plugin: Transposh WordPress Translation
Plugin Slug: transposh-translation-filter-for-wordpress
Affected Versions: <= 1.0.8.1
CVE ID: CVE-2022-2536
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Researcher/s: Julien Ahrens
Fully Patched Version: Unpatched.
Recommended Remediation: Uninstall plugin from site until patched version available.
Publication Date: 2022-11-14

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient validation of settings on the ‘tp_translation’ AJAX action which makes it possible for unauthenticated attackers to bypass any restrictions and influence the data shown on the site. Please note this is a separate issue from CVE-2022-2461. Notes from the researcher: When installed Transposh comes with a set of pre-configured options, one of these is the “Who can translate” setting under the “Settings” tab. However, this option is largely ignored, if Transposh has enabled its “autotranslate” feature (it’s enabled by default) and the HTTP POST parameter “sr0” is larger than 0. This is caused by a faulty validation in “wp/transposh_db.php.”


Feed Them Social – for Twitter feed, Youtube and more <= 2.9.9 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Plugin: Feed Them Social – for Twitter feed, Youtube and more
Plugin Slug: feed-them-social
Affected Versions: <= 2.9.9
CVE ID: CVE-2022-2940
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 3.0.1
Recommended Remediation: Update to version 3.0.1, or newer patched version.
Publication Date: 2022-11-14

The Feed Them Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.9. This is due to missing or incorrect nonce validation on various functions such as fts_instagram_token_ajax(). This makes it possible for unauthenticated attackers to trigger settings updates via forged request granted they can trick a site administrator into performing an action such as clicking on a link.


Feed Them Social – for Twitter feed, Youtube and more <= 2.9.9 – Cross-Site Request Forgery to Settings Update

Affected Plugin: Feed Them Social – for Twitter feed, Youtube and more
Plugin Slug: feed-them-social
Affected Versions: <= 2.9.9
CVE ID: CVE-2022-2942
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka
Fully Patched Version: 3.0.1
Recommended Remediation: Update to version 3.0.1, or newer patched version.
Publication Date: 2022-11-14

The Feed Them Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.9. This is due to missing or incorrect nonce validation on various functions such as fts_instagram_token_ajax(). This makes it possible for unauthenticated attackers to trigger settings updates via forged request granted they can trick a site administrator into performing an action such as clicking on a link.


WordPress Countdown Widget <= 3.1.9.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Plugin: WordPress Countdown Widget
Plugin Slug: wordpress-countdown-widget
Affected Versions: <= 3.1.9.2
CVE ID: CVE-2022-2944
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka
Fully Patched Version: 3.1.9.3
Recommended Remediation: Update to version 3.1.9.3, or newer patched version.
Publication Date: 2022-11-14

The WordPress Countdown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


Follow Me Plugin <= 3.1.1 – Cross-Site Request Forgery to Cross-Site Scripting

Affected Plugin: Follow Me Plugin
Plugin Slug: follow-me
Affected Versions: <= 3.1.1
CVE ID: CVE-2022-3240
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka
Fully Patched Version: Unpatched.
Recommended Remediation: Uninstall plugin from site until patched version available.
Publication Date: 2022-11-14

The “Follow Me Plugin” plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin’s settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


WP Affiliate Platform <= 6.3.9 – Cross-Site Request Forgery

Affected Plugin: WP Affiliate Platform
Plugin Slug: wp-affiliate-platform
Affected Versions: <= 6.3.9
CVE ID: CVE-2022-3898
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka
Fully Patched Version: 6.4.0
Recommended Remediation: Update to version 6.4.0, or newer.
Publication Date: 2022-11-14

The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.


WP Affiliate Platform <= 6.3.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Plugin: WP Affiliate Platform
Plugin Slug: wp-affiliate-platform
Affected Versions: <= 6.3.9
CVE ID: CVE-2022-3897
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 6.4.0
Recommended Remediation: Update to version 6.4.0, or newer.
Publication Date: 2022-11-14

The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


WP Affiliate Platform <= 6.3.9 – Reflected Cross-Site Scripting

Affected Plugin: WP Affiliate Platform
Plugin Slug: wp-affiliate-platform
Affected Versions: <= 6.3.9
CVE ID: CVE-2022-3896
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 6.4.0
Recommended Remediation: Update to version 6.4.0, or newer.
Publication Date: 2022-11-14

The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER[“REQUEST_URI”] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers.


Becustom <= 1.0.5.2 – Cross-Site Request Forgery

Affected Plugin: Becustom
Plugin Slug: becustom
Affected Versions: <= 1.0.5.2
CVE ID: CVE-2022-3747
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Julien Ahrens
Fully Patched Version: 1.0.5.3
Recommended Remediation: Update to version 1.0.5.3, or newer.
Publication Date: 2022-11-14

The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin’s settings. This makes it possible for unauthenticated attackers to update the plugin’s settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


VR Calendar <= 2.3.3 – Cross-Site Request Forgery

Affected Plugin: VR Calendar
Plugin Slug: vr-calendar-sync
Affected Versions: <= 2.3.3
CVE ID: CVE-2022-3852
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka
Fully Patched Version: 2.3.4
Recommended Remediation: Update to version 2.3.4, or newer.
Publication Date: 2022-11-03

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.


Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.0 – Missing Authorization on AJAX Actions

Affected Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Plugin Slug: menu-ordering-reservations
Affected Versions: <= 2.3.0
CVE ID: CVE-2022-2696
CVSS Score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher/s: ptsfence
Fully Patched Version: 2.3.1
Recommended Remediation: Update to version 2.3.1, or newer.
Publication Date: 2022-10-31

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for authenticated attackers with minimal permissions to perform a wide variety of actions such as modifying the plugin’s settings and modifying the ordering system preferences.


Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.1 – Cross-Site Request Forgery

Affected Plugin: Restaurant Menu – Food Ordering System – Table Reservation
Plugin Slug: menu-ordering-reservations
Affected Versions: <= 2.3.1
CVE ID: CVE-2022-3776
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: ptsfence
Fully Patched Version: 2.3.2
Recommended Remediation: Update to version 2.3.2, or newer.
Publication Date: 2022-10-31

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on several functions called via AJAX actions such as forms_action, set_option, & chosen_options to name a few . This makes it possible for unauthenticated attackers to perform a variety of administrative actions like modifying forms, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Limited Remote Code Execution via um_populate_dropdown_options

Affected Plugin: Ultimate Member – User Profile, User Registration, Login & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.5.0
CVE ID: CVE-2022-3384
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ruijie Li
Fully Patched Version: 2.5.1
Recommended Remediation: Update to version 2.5.1, or newer.
Publication Date: 2022-10-28

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server.


Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Remote Code Execution via Multi-Select

Affected Plugin: Ultimate Member – User Profile, User Registration, Login & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.5.0
CVE ID: CVE-2022-3383
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ruijie Li
Fully Patched Version: 2.5.1
Recommended Remediation: Update to version 2.5.1, or newer.
Publication Date: 2022-10-28

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.


Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Contributor+) Directory Traversal via Shortcodes

Affected Plugin: Ultimate Member – User Profile, User Registration, Login & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.5.0
CVE ID: CVE-2022-3361
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Ruijie Li
Fully Patched Version: 2.5.1
Recommended Remediation: Update to version 2.5.1, or newer.
Publication Date: 2022-10-28

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘template’ attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.


Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Directory Traversal

Affected Plugin: Ultimate Member – User Profile, User Registration, Login & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.5.0
CVE ID: CVE-2022-2445
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Researcher/s: Ruijie Li
Fully Patched Version: 2.5.1
Recommended Remediation: Update to version 2.5.1, or newer.
Publication Date: 2022-10-28

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘pack’ parameter. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a file with the exact name ‘init.php’ then remote code execution may also be possible.


Web Stories <= 1.24.0 – Server Side Request Forgery

Affected Plugin: Web Stories
Plugin Slug: web-stories
Affected Versions: <= 1.24.0
CVE ID: CVE-2022-3708
CVSS Score: 9.6 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Researcher/s: Aymen Borgi
Fully Patched Version: 1.25.0
Recommended Remediation: Update to version 1.25.0, or newer.
Publication Date: 2022-10-26

The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the ‘url’ parameter found via the /v1/hotlink/proxy REST API Endpoint. This made it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.


ImageMagick Engine <= 1.7.4 – Cross-Site Request Forgery to Remote Command Execution

Affected Plugin: ImageMagick Engine
Plugin Slug: imagemagick-engine
Affected Versions: <= 1.7.4
CVE ID: CVE-2022-2441
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Rasoul Jahanshahi
Fully Patched Version: Unpatched.
Recommended Remediation: Uninstall plugin from site until patched version available.
Publication Date: 2022-10-17

The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the ‘cli_path’ parameter in versions up to, and including 1.7.4. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.


Log HTTP Requests <= 1.3.1 – Stored Cross-Site Scripting

Affected Plugin: Log HTTP Requests
Plugin Slug: log-http-requests
Affected Versions: <= 1.3.1
CVE ID: CVE-2022-3402
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Etan Imanol Castro Aldrete
Fully Patched Version: 1.3.2
Recommended Remediation: Update to version 1.3.2, or newer.
Publication Date: 2022-10-05

The Log HTTP Requests plugin for WordPress is vulnerable to Stored Cross-Site Scripting via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers who can trick a site’s administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


Bricks 1.2 – 1.5.3 – Remote Code Execution

Affected Theme: Bricks
Theme Slug: bricks
Affected Versions: 1.2 to 1.5.3
CVE ID: CVE-2022-3401
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Anonymous
Fully Patched Version: 1.5.4
Recommended Remediation: Update to version 1.5.4, or newer.
Publication Date: 2022-10-03

The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.


Bricks 1.0 – 1.5.3 – Missing Authorization to Arbitrary Content Creation/Modification

Affected Theme: Bricks
Theme Slug: bricks
Affected Versions: 1.0 – 1.5.3
CVE ID: CVE-2022-3400
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher/s: Anonymous
Fully Patched Version: 1.5.4
Recommended Remediation: Update to version 1.5.4, or newer.
Publication Date: 2022-10-03

The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.