CVE-2022-2711 - Path Traversal Vulnerability in "Import any XML or CSV File to WordPress" Plugin (Pre-3.6.9)
In mid-2022, WordPress site owners faced a serious security flaw in the popular plugin "Import any XML or CSV File to WordPress". The
CVE-2022-3536 The Role Based Pricing plugin before 1.6.3 has no authorization and validation, which allows any authenticated user to perform phar deserialization attack.
they can upload a file, and a suitable gadget chain is present on the blog, such as Google Analytics, the attackers can inject malicious code
CVE-2022-3558 The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.
This is a pretty big issue as it can lead to security issues when the exported data is used by other applications or services. This
CVE-2022-3489 The WP Hide plugin through 0.0.2 doesn't have authorisation and CSRF checks, which allows unauthenticated attackers to update the custom_wpadmin_slug settings.
resulting in arbitrary code execution.
This was fixed in version 0.0.3 by changing the update code to be a POST request, resulting in
CVE-2022-3537 The Role Based Pricing plugin before 1.6.2 has no authorisation and validation for uploaded files, which allows anyone to upload arbitrary files, like PHP.
source code or backdoor scripts to execute. In order to prevent the threat of unauthorized modification of the plugin code and data, the developers of
Episode
00:00:00
00:00:00