Arbitrary Plugin Installation Vulnerability in Cool Plugins for WordPress
CVE-2022-4950

8.8HIGH

Key Information:

Vendor: WordPress
Status: The Events Calendar Events Notification Bar Addon; Events Search For The Events Calendar; Cryptocurrency Widgets For Elementor; Event Countdown For The Events Calendar
Vendor: CVE Published:; 7 June 2023

What is CVE-2022-4950?

Several WordPress plugins developed by Cool Plugins are susceptible to unauthorized arbitrary plugin installation and activation. This vulnerability allows authenticated attackers, even those with minimal permissions like subscribers, to execute remote code. As a result, they can potentially gain control over the WordPress site, posing significant risks to its integrity and security.

Affected Version(s)

Cool Timeline (Horizontal & Vertical Timeline) 0 <= 2.3.3

Cryptocurrency Donation Box – Bitcoin & Crypto Donations 0 <= 1.7

Cryptocurrency Widgets – Price Ticker & Coins List 0 <= 2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2705076/cool...

https://blog.nintechnet.com/8-wordpress-plugins-fixed-hig...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet

CVE-2022-4950 Data

JSON