Rewterz Threat Alert – Chaos Ransomware – Active IOCs
November 7, 2022Rewterz Threat Advisory – CVE-2022-2563 – Tutor LMS Plugin For WordPress Vulnerability
November 7, 2022Rewterz Threat Alert – Chaos Ransomware – Active IOCs
November 7, 2022Rewterz Threat Advisory – CVE-2022-2563 – Tutor LMS Plugin For WordPress Vulnerability
November 7, 2022Severity
Medium
Analysis Summary
CVE-2022-3082 CVSS:5.4
miniOrange Discord Integration plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by AJAX actions. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to disable the application or perform other actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2022-33978 CVSS:6.1
FontMeister plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2022-38454 CVSS:5.4
Kraken.io Image Optimizer plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2022-38079 CVSS:5.4
Backup Scheduler plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2022-36340 CVSS:6.5
MailOptin plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by broken access control. An attacker could exploit this vulnerability to delete the contents of the Optin Campaign Cache.
CVE-2022-38704 CVSS:5.4
SEO Redirection Plugin – 301 Redirect Manager plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to delete 404 errors and redirection history. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2022-40132 CVSS:5.4
Seriously Simple Podcasting plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by when updating the settings. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to change the settings. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2022-38134 CVSS:4.3
Customer Reviews for WooCommerce plugin for WordPress could allow a remote authenticated attacker to obtain sensitive information, caused by broken access control. An attacker could exploit this vulnerability to export reviews and use this information to launch further attacks against the affected system.
CVE-2022-38470 CVSS:4.3
Customer Reviews for WooCommerce plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to send test emails. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2022-38061 CVSS:6.2
Export Post Info plugin for WordPress could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2022-36417 CVSS:6.1
3D Tag Cloud plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2022-40194 CVSS:5.3
Customer Reviews for WooCommerce plugin for WordPress could allow a remote authenticated attacker to obtain sensitive information, caused by insufficient file path validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
CVE-2022-3149 CVSS:6.1
WP Custom Cursors plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to log in as Admin. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
Impact
- Cross-Site Scripting
- Security Bypass
- Gain Access
- Information Disclosure
- Code Execution
Indicators Of Compromise
CVE
- CVE-2022-3082
- CVE-2022-33978
- CVE-2022-38454
- CVE-2022-38079
- CVE-2022-36340
- CVE-2022-38704
- CVE-2022-40132
- CVE-2022-38134
- CVE-2022-38470
- CVE-2022-38061
- CVE-2022-36417
- CVE-2022-40194
- CVE-2022-3149
Affected Vendors
WordPress
Affected Products
- Social Media Follow Buttons Bar plugin for WordPress 4.73
- Social Media Follow Buttons Bar plugin for WordPress 4.72
- miniOrange Discord Integration Plugin for WordPress 2.1.5
- Kraken.io Image Optimizer Plugin for WordPress 2.6.5
- Backup Scheduler plugin for WordPress 1.5.13
- Backup Scheduler plugin for WordPress 1.5.12
- MailOptin plugin for WordPress 1.2.49.0
- MailOptin plugin for WordPress 1.2.48.0
- Seriously Simple Podcasting Plugin for WordPress 2.16.0
- Customer Reviews for WooCommerce plugin for WordPress 5.3.5
- Customer Reviews for WooCommerce plugin for WordPress 5.3.4
- Export Post Info plugin for WordPress 1.1.0
- Export Post Info plugin for WordPress 1.0.4
- 3D Tag Cloud plugin for WordPress 3.8
- 3D Tag Cloud plugin for WordPress 3.7
- WP Custom Cursors Plugin for WordPress 3.0.0
Remediation
Refer to WordPress Plugin Website for patch, upgrade or suggested workaround information.
CVE-2022-3082
CVE-2022-33978
CVE-2022-38454
CVE-2022-38079
CVE-2022-36340
CVE-2022-38704
CVE-2022-40132
CVE-2022-38134
CVE-2022-38470
CVE-2022-38061
CVE-2022-36417
CVE-2022-40194
CVE-2022-3149