Rewterz Threat Advisory – Multiple WordPress Plugin Vulnerabilities

January 30, 2023

Severity

High

Analysis Summary

CVE-2022-47615 CVSS:9.3

LearnPress plugin for WordPress could allow a remote attacker to include arbitrary files. An attacker could send a specially-crafted URL request to the inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php script in the list_courses function to specify a malicious file from the local system, which could allow the attacker to execute arbitrary code on the vulnerable Web server. Note: In order to exploit this vulnerability to execute arbitrary code using a local file, the attacker would first be required to upload a malicious file or inject arbitrary commands into an existing file.

CVE-2023-22721 CVSS:6.5

Oi Yandex.Maps plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-0385 CVSS:4.3

Custom 404 Pro plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the custom_404_pro_admin_init function. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to delete logs. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-0293 CVSS:4.3

Mediamatic plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by missing authorization. By sending a specially-crafted request, an attacker could exploit this vulnerability to change image categories.

CVE-2023-0294 CVSS:8.8

Mediamatic plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-0295 CVSS:5.5

Launchpad plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23491 CVSS:6.1

Quick Event Manager plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the qem_ajax_calendar action. A remote attacker could exploit this vulnerability using the category parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-0448 CVSS:6.1

WP Helper Lite plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the surveySubmit_func() function in the includes/class-mbwp-helper.php script. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-23488 CVSS:9.8

Paid Memberships Pro plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the /pmpro/v1/order REST route using the code parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-23492 CVSS:6.1

Login with phone number plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the lwp_forgot_password action using the ID parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-23490 CVSS:9.8

Survey Maker plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the ays_surveys_export_json action using the surveys_ids parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-23489 CVSS:9.8

Easy Digital Downloads plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the edd_download_search action using the s parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-0254 CVSS:7.2

Simple Membership WP user Import plugin for WordPress is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements using the orderby parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.