CVE-2022-3632 - How Missing CSRF Checks in OAuth Client by DigitalPixies Expose Your WordPress Site
Security flaws in WordPress plugins can give hackers an opening to bypass protections and mess with your website. One such flaw—CVE-2022-3632—affects the OAuth
CVE-2022-3477 The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper and Newsmag WordPress themes, doesn't properly implement Facebook login, which allows attackers to login as any use.
This issue was addressed by Facebook in its security update on April 18th, 2018. More details on this issue can be found in the linked
CVE-2022-3539 The Testimonials and Super-testimonial-pro plugins before 1.0.8 are not sanitizing and escaping their settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks.
This has been fixed in WordPress version >= 2.7 and 4.8. In WordPress version 4.8 and later, super-testimonial-pro WordPress plugin before 1.
CVE-2022-3538 The Webmaster Tools Verification plugin through 1.2 doesn't have authorisation and CSRF, allowing unauthenticated users to disable arbitrary plugins.
This could potentially allow an attacker to disable arbitrary plugins, leading to a plugin breakage and Site deactivation. We are actively investigating this issue, and
CVE-2022-2449 The reSmush.it: the free Image Optimizer and compress plugin doesn't perform CSRF checks, allowing an attacker to trick logged in users to perform actions on their behalf.
This can be something as simple as viewing a malicious email in your inbox or as dangerous as pushing malicious updates to the WordPress installation.
Episode
00:00:00
00:00:00