Arbitrary Plugin Installation Vulnerability in Cool Plugins for WordPress
CVE-2022-4950

8.8HIGH

Key Information:

Vendor

Wordpress
Status
The Events Calendar Countdown Addon
The Events Calendar Events Notification Bar Addon
Cool Timeline (horizontal & Vertical Timeline)
Cryptocurrency Payment & Donation Box – Accept Payments In Any Cryptocurrency On Your WP Site For Free
Vendor
CVE Published:
7 June 2023

What is CVE-2022-4950?

Several WordPress plugins developed by Cool Plugins are susceptible to unauthorized arbitrary plugin installation and activation. This vulnerability allows authenticated attackers, even those with minimal permissions like subscribers, to execute remote code. As a result, they can potentially gain control over the WordPress site, posing significant risks to its integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Cool Timeline (Horizontal & Vertical Timeline) * <= 2.3.3

Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free * <= 1.7

Cryptocurrency Widgets – Price Ticker & Coins List * <= 2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/2705076/cool...
https://blog.nintechnet.com/8-wordpress-plugins-fixed-hig...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jerome Bruandet
JSON
.