Lucene search

WordfenceCVE-2022-4950

HistoryJun 07, 2023 - 2:15 a.m.

CVE-2022-4950

2023-06-0702:15:15

CWE-862

Wordfence

web.nvd.nist.gov

cve-2022-4950

wordpress

cool plugins

vulnerability

arbitrary plugin installation

remote code execution

nvd

security

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.005

Percentile

76.2%

JSON

Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.

Affected configurations

Nvd

Vulners

Node

coolpluginscool_timelineRange<2.4wordpress

coolpluginscryptocurrency_widgetsRange<2.5.1wordpress

coolpluginscryptocurrency_widgets_for_elementorRange<1.3wordpress

coolpluginsevent_single_page_builder_for_the_event_calendarRange<1.6wordpress

coolpluginsevents-notification-bar-addonRange<1.6wordpress

coolpluginsevents_search_for_the_events_calendarRange<1.2wordpress

coolpluginsevents_shortcodes_for_the_events_calendarRange<2.0wordpress

coolpluginsevents_widgets_for_elementor_and_the_events_calendarRange<1.5wordpress

coolpluginsthe_events_calendar_countdown_addonRange<1.4wordpress

cryptocurrency_payment_\&_donation_box_pluginscryptocurrency_payment_\&_donation_boxRange<1.8wordpress

VendorProductVersionCPE
coolpluginscool_timeline*cpe:2.3:a:coolplugins:cool_timeline:*:*:*:*:*:wordpress:*:*
coolpluginscryptocurrency_widgets*cpe:2.3:a:coolplugins:cryptocurrency_widgets:*:*:*:*:*:wordpress:*:*
coolpluginscryptocurrency_widgets_for_elementor*cpe:2.3:a:coolplugins:cryptocurrency_widgets_for_elementor:*:*:*:*:*:wordpress:*:*
coolpluginsevent_single_page_builder_for_the_event_calendar*cpe:2.3:a:coolplugins:event_single_page_builder_for_the_event_calendar:*:*:*:*:*:wordpress:*:*
coolpluginsevents-notification-bar-addon*cpe:2.3:a:coolplugins:events-notification-bar-addon:*:*:*:*:*:wordpress:*:*
coolpluginsevents_search_for_the_events_calendar*cpe:2.3:a:coolplugins:events_search_for_the_events_calendar:*:*:*:*:*:wordpress:*:*
coolpluginsevents_shortcodes_for_the_events_calendar*cpe:2.3:a:coolplugins:events_shortcodes_for_the_events_calendar:*:*:*:*:*:wordpress:*:*
coolpluginsevents_widgets_for_elementor_and_the_events_calendar*cpe:2.3:a:coolplugins:events_widgets_for_elementor_and_the_events_calendar:*:*:*:*:*:wordpress:*:*
coolpluginsthe_events_calendar_countdown_addon*cpe:2.3:a:coolplugins:the_events_calendar_countdown_addon:*:*:*:*:*:wordpress:*:*
cryptocurrency_payment_\&_donation_box_pluginscryptocurrency_payment_\&_donation_box*cpe:2.3:a:cryptocurrency_payment_\&_donation_box_plugins:cryptocurrency_payment_\&_donation_box:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
coolplugins	cool_timeline	*	cpe:2.3:a:coolplugins:cool_timeline::::::wordpress::*
coolplugins	cryptocurrency_widgets	*	cpe:2.3:a:coolplugins:cryptocurrency_widgets::::::wordpress::*
coolplugins	cryptocurrency_widgets_for_elementor	*	cpe:2.3:a:coolplugins:cryptocurrency_widgets_for_elementor::::::wordpress::*
coolplugins	event_single_page_builder_for_the_event_calendar	*	cpe:2.3:a:coolplugins:event_single_page_builder_for_the_event_calendar::::::wordpress::*
coolplugins	events-notification-bar-addon	*	cpe:2.3:a:coolplugins:events-notification-bar-addon::::::wordpress::*
coolplugins	events_search_for_the_events_calendar	*	cpe:2.3:a:coolplugins:events_search_for_the_events_calendar::::::wordpress::*
coolplugins	events_shortcodes_for_the_events_calendar	*	cpe:2.3:a:coolplugins:events_shortcodes_for_the_events_calendar::::::wordpress::*
coolplugins	events_widgets_for_elementor_and_the_events_calendar	*	cpe:2.3:a:coolplugins:events_widgets_for_elementor_and_the_events_calendar::::::wordpress::*
coolplugins	the_events_calendar_countdown_addon	*	cpe:2.3:a:coolplugins:the_events_calendar_countdown_addon::::::wordpress::*
cryptocurrency_payment_\&_donation_box_plugins	cryptocurrency_payment_\&_donation_box	*	cpe:2.3:a:cryptocurrency_payment_\&_donation_box_plugins:cryptocurrency_payment_\&_donation_box::::::wordpress::*

CNA Affected

[
  {
    "vendor": "narinder-singh",
    "product": "The Events Calendar Countdown Addon",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "The Events Calendar Events Notification Bar Addon",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Cool Timeline (Horizontal & Vertical Timeline)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.3.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "blackworks1",
    "product": "Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.7",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Events Search For The Events Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "coolplugins",
    "product": "Cryptocurrency Widgets For Elementor",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThan": "1.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Event Single Page Builder For The Event Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.5",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Events Shortcodes For The Events Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.9.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Cryptocurrency Widgets – Price Ticker & Coins List",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "coolplugins",
    "product": "Events Widgets For Elementor And The Events Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.4.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

blog.nintechnet.com/8-wordpress-plugins-fixed-high-severity-vulnerability/

plugins.trac.wordpress.org/changeset/2705076/cool-timeline/trunk/admin/timeline-addon-page/timeline-addon-page.php

www.wordfence.com/threat-intel/vulnerabilities/id/f6f0fb78-ad6b-4a9e-ae1a-5793f3426379?source=cve

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.005

Percentile

76.2%

JSON

Related for CVE-2022-4950