CVE-2022-4950
HIGHCool Plugins WordPress Plugins < 2.4 - Authenticated Arbitrary Plugin Installation and Activation
Title source: llmDescription
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
References (3)
Core 3
Core References
Third Party Advisory
https://blog.nintechnet.com/8-wordpress-plugins-fixed-high-severity-vulnerability/
Broken Link, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/f6f0fb78-ad6b-4a9e-ae1a-5793f3426379?source=cve
Scores
CVSS v3
8.8
EPSS
0.0138
EPSS Percentile
68.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (20)
blackworks1/Cryptocurrency Donation Box – Bitcoin & Crypto Donations
< 1.7
coolplugins/cool_timeline
< 2.4
coolplugins/Cryptocurrency Widgets For Elementor
< 1.3
coolplugins/cryptocurrency_widgets
< 2.5.1
coolplugins/cryptocurrency_widgets_for_elementor
< 1.3
coolplugins/event_single_page_builder_for_the_event_calendar
< 1.6
coolplugins/Events Widgets For Elementor And The Events Calendar
< 1.4.2
coolplugins/events-notification-bar-addon
< 1.6
coolplugins/events_search_for_the_events_calendar
< 1.2
coolplugins/events_shortcodes_for_the_events_calendar
< 2.0
... and 10 more
Published
Jun 07, 2023
Tracked Since
Feb 18, 2026