Lucene search

[email protected]CVE-2022-4950

HistoryJun 07, 2023 - 2:15 a.m.

CVE-2022-4950

2023-06-0702:15:15

CWE-862

[email protected]

web.nvd.nist.gov

cve-2022-4950

wordpress

cool plugins

vulnerability

arbitrary plugin installation

remote code execution

nvd

security

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.

Affected configurations

Vulners

NVD

Node

coolpluginsthe_events_calendar_countdown_addonRange≤1.3.1

coolpluginsevents-notification-bar-addonRange≤1.1

coolpluginscool_timelineRange≤2.3.3

blackworks1cryptocurrency_payment_\&_donation_box_–_accept_payments_in_any_cryptocurrency_on_your_wp_site_for_freeRange≤1.7

coolpluginsevents_search_for_the_events_calendarRange≤1.1.3

coolpluginscryptocurrency_widgets_for_elementorRange<1.3

coolpluginsevent_single_page_builder_for_the_event_calendarRange≤1.5

coolpluginsevents_shortcodes_for_the_events_calendarRange≤1.9.4

coolpluginscryptocurrency_widgetsRange≤2.4

coolpluginsevents_widgets_for_elementor_and_the_events_calendarRange≤1.4.2

VendorProductVersionCPE
coolpluginsthe_events_calendar_countdown_addon*cpe:2.3:a:coolplugins:the_events_calendar_countdown_addon:*:*:*:*:*:*:*:*
coolpluginsevents\-notification\-bar\-addon*cpe:2.3:a:coolplugins:events\-notification\-bar\-addon:*:*:*:*:*:*:*:*
coolpluginscool_timeline*cpe:2.3:a:coolplugins:cool_timeline:*:*:*:*:*:*:*:*
coolpluginsevents_search_for_the_events_calendar*cpe:2.3:a:coolplugins:events_search_for_the_events_calendar:*:*:*:*:*:*:*:*
coolpluginscryptocurrency_widgets_for_elementor*cpe:2.3:a:coolplugins:cryptocurrency_widgets_for_elementor:*:*:*:*:*:*:*:*
coolpluginsevent_single_page_builder_for_the_event_calendar*cpe:2.3:a:coolplugins:event_single_page_builder_for_the_event_calendar:*:*:*:*:*:*:*:*
coolpluginsevents_shortcodes_for_the_events_calendar*cpe:2.3:a:coolplugins:events_shortcodes_for_the_events_calendar:*:*:*:*:*:*:*:*
coolpluginscryptocurrency_widgets*cpe:2.3:a:coolplugins:cryptocurrency_widgets:*:*:*:*:*:*:*:*
coolpluginsevents_widgets_for_elementor_and_the_events_calendar*cpe:2.3:a:coolplugins:events_widgets_for_elementor_and_the_events_calendar:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
coolplugins	the_events_calendar_countdown_addon	*	cpe:2.3:a:coolplugins:the_events_calendar_countdown_addon::::::::
coolplugins	events\-notification\-bar\-addon	*	cpe:2.3:a:coolplugins:events\-notification\-bar\-addon::::::::
coolplugins	cool_timeline	*	cpe:2.3:a:coolplugins:cool_timeline::::::::
coolplugins	events_search_for_the_events_calendar	*	cpe:2.3:a:coolplugins:events_search_for_the_events_calendar::::::::
coolplugins	cryptocurrency_widgets_for_elementor	*	cpe:2.3:a:coolplugins:cryptocurrency_widgets_for_elementor::::::::
coolplugins	event_single_page_builder_for_the_event_calendar	*	cpe:2.3:a:coolplugins:event_single_page_builder_for_the_event_calendar::::::::
coolplugins	events_shortcodes_for_the_events_calendar	*	cpe:2.3:a:coolplugins:events_shortcodes_for_the_events_calendar::::::::
coolplugins	cryptocurrency_widgets	*	cpe:2.3:a:coolplugins:cryptocurrency_widgets::::::::
coolplugins	events_widgets_for_elementor_and_the_events_calendar	*	cpe:2.3:a:coolplugins:events_widgets_for_elementor_and_the_events_calendar::::::::

CNA Affected

[
  {
    "vendor": "narinder-singh",
    "product": "The Events Calendar Countdown Addon",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "The Events Calendar Events Notification Bar Addon",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Cool Timeline (Horizontal & Vertical Timeline)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.3.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "blackworks1",
    "product": "Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.7",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Events Search For The Events Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "coolplugins",
    "product": "Cryptocurrency Widgets For Elementor",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThan": "1.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Event Single Page Builder For The Event Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.5",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Events Shortcodes For The Events Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.9.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "narinder-singh",
    "product": "Cryptocurrency Widgets – Price Ticker & Coins List",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "coolplugins",
    "product": "Events Widgets For Elementor And The Events Calendar",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.4.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

blog.nintechnet.com/8-wordpress-plugins-fixed-high-severity-vulnerability/

plugins.trac.wordpress.org/changeset/2705076/cool-timeline/trunk/admin/timeline-addon-page/timeline-addon-page.php

www.wordfence.com/threat-intel/vulnerabilities/id/f6f0fb78-ad6b-4a9e-ae1a-5793f3426379?source=cve

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

Related for CVE-2022-4950

prion1 cvelist1 nvd1