CVE-2022-3244 The Import all XML, CSV & TXT WordPress plugin before 6.5.8 has auth issues which could allow any authenticated users to access certain features if they get the nonce.

value. This results in XML posts being uploaded to the server and displayed to site visitors that could potentially be abused. The issue has been fixed in version 6.6.0. IMPORT ALL XMPP Plugin The XMPP plugin does not properly check the XMPP server certificate, which could potentially allow an attacker to send malicious messages from the XMPP server and manipulate data in the WordPress database. The issue has been fixed in version 2.5.5. IMPORT ALL XML, CSV & TXT WP Plugin In the CSV and TXT importers, XML validation is enabled. If you have a CSV or TXT file with invalid XML, it could be processed incorrectly, which could result in unexpected data being imported. The issue has been fixed in version 6.5.8. IMPORT ALL XMPP Plugin In the XMPP importer, the XMPP server certificate is validated. If the server certificate is invalid, the import could fail with an error message.

WordFence WordPress Security Monitoring Plugin

Wordfence scans WordPress for security vulnerabilities and provides monitoring of your site. The issue has been fixed in version 6.7.0.

Timeline

Published on: 10/17/2022 12:15:00 UTC
Last modified on: 10/20/2022 19:31:00 UTC

References

• https://wpscan.com/vulnerability/de4bc449-3dd4-4776-943f-ac59ae813132
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3244