Arbitrary Plugin Installation Vulnerability in Cool Plugins for WordPress
CVE-2022-4950

8.8HIGH

Key Information:

Vendor: Wordpress
Status: The Events Calendar Countdown Addon; The Events Calendar Events Notification Bar Addon; Cool Timeline (horizontal & Vertical Timeline); Cryptocurrency Payment & Donation Box – Accept Payments In Any Cryptocurrency On Your WP Site For Free
Vendor: CVE Published:; 7 June 2023

Summary

Several WordPress plugins developed by Cool Plugins are susceptible to unauthorized arbitrary plugin installation and activation. This vulnerability allows authenticated attackers, even those with minimal permissions like subscribers, to execute remote code. As a result, they can potentially gain control over the WordPress site, posing significant risks to its integrity and security.

Affected Version(s)

Cool Timeline (Horizontal & Vertical Timeline) * <= 2.3.3

Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free * <= 1.7

Cryptocurrency Widgets – Price Ticker & Coins List * <= 2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2705076/cool...

https://blog.nintechnet.com/8-wordpress-plugins-fixed-hig...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet