CVE-2022-42984 The offset parameter of the WoW Wonder social network platform was found to be vulnerable to SQL injection.

CVE-2022-42984 The offset parameter of the WoW Wonder social network platform was found to be vulnerable to SQL injection.

A successful attack can allow hackers to inject malicious code in the database of the affected website, allowing them to hijack, corrupt, or delete data; all of which can have serious consequences for the business. It’s important to note that this vulnerability does not affect the front-end of your website when you are using the plugin. However, it does affect the backend, so if you use the plugin to power your social media posts, you should be very aware of this vulnerability and update to the latest version as soon as possible. Another vulnerability discovered in WNW 4.1.4 was found to be affected by an XSS injection vulnerability. Hackers can exploit this to inject malicious code into your website’s database, allowing them to hijack, corrupt, or delete data; all of which can have serious consequences for the business. It’s important to note that this vulnerability does not affect the front-end of your website when you are using the plugin. However, it does affect the backend, so if you use the plugin to power your social media posts, you should be very aware of this vulnerability and update to the latest version as soon as possible.

Update for WordPress  4.8.5 and 5.0.2

There are a few vulnerabilities discovered in the latest versions of WNW-4.1.4 and WNW-5.0.2 that need to be updated immediately for your website. One vulnerability was found to be affected by an XSS injection vulnerability, while another is a cross-site scripting (XSS) vulnerability that can be exploited by hackers to inject malicious code into your website’s database, allowing them to hijack, corrupt, or delete data; all of which can have serious consequences for the business. If you update to 4.8.5 or 5.0.2, you will protect yourself against these vulnerabilities and avoid any potential consequences they may have on your business’s data.

What is a website backend?

The backend is the part of your website that includes the database, which stores all of the information about your design. The plugin's code is written in PHP, and a vulnerability was discovered in one of the functions. It allows hackers to inject malicious code into the database. This means that any data stored by this plugin can be manipulated or deleted by hackers.

Which WordPress Plugins Are Affected?

Both vulnerabilities were found in the WNW 4.1.4 plugin and were fixed in the current version, which is WNW 5.0.6. The vulnerabilities affect all versions of the plugin prior to 5.0.6, so if you aren’t using the latest version, it’s best to update as soon as possible. It's also important to note that your WordPress website isn't affected by these vulnerabilities if you use a different plugin or theme to power your social media posts instead of WNW 4.1.4 and 4.1.5.

What is a Content Security Policy?

A Content Security Policy (CSP) is a mechanism that directs how browsers interact with web content. One of the primary functions of CSPs is to help prevent cross-site scripting vulnerabilities. Can be more specifically, it helps ensure that web pages can only be loaded by trusted sources and not arbitrary third-party scripts.
The following is an example of what a CSP looks like in action:
"style-src 'self' https://*.example.com; object-src 'self' https://*.example.com"

"style-src 'self' https://*.example.com; object-src 'self' https://*.example.com"

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe