CVE-2022-4950

Summary

Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.

Affected Software

VendorProductVersion RangeStatus
narinder-singhThe Events Calendar Events Notification Bar Addon0 <= 1.1affected
narinder-singhEvents Search For The Events Calendar0 <= 1.1.3affected
coolpluginsCryptocurrency Widgets For Elementor0 < 1.3affected
narinder-singhEvent Countdown for The Events Calendar0 <= 1.3.1affected
coolpluginsEvents Widgets For Elementor And The Events Calendar0 <= 1.4.2affected
narinder-singhEvent Single Page Builder For The Events Calendar0 <= 1.5affected
blackworks1Cryptocurrency Donation Box – Bitcoin & Crypto Donations0 <= 1.7affected
narinder-singhEvents Shortcodes For The Events Calendar0 <= 1.9.4affected
narinder-singhCool Timeline (Horizontal & Vertical Timeline)0 <= 2.3.3affected
narinder-singhCryptocurrency Widgets – Price Ticker & Coins List0 <= 2.4affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References