CVE-2022-4950

HIGH

Cool Plugins WordPress Plugins < 2.4 - Authenticated Arbitrary Plugin Installation and Activation

Title source: llm
STIX 2.1

Description

Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.

Scores

CVSS v3 8.8
EPSS 0.0138
EPSS Percentile 68.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (20)
blackworks1/Cryptocurrency Donation Box – Bitcoin & Crypto Donations < 1.7
coolplugins/cool_timeline < 2.4
coolplugins/Cryptocurrency Widgets For Elementor < 1.3
coolplugins/cryptocurrency_widgets < 2.5.1
coolplugins/cryptocurrency_widgets_for_elementor < 1.3
coolplugins/event_single_page_builder_for_the_event_calendar < 1.6
coolplugins/Events Widgets For Elementor And The Events Calendar < 1.4.2
coolplugins/events-notification-bar-addon < 1.6
coolplugins/events_search_for_the_events_calendar < 1.2
coolplugins/events_shortcodes_for_the_events_calendar < 2.0
... and 10 more
Published Jun 07, 2023
Tracked Since Feb 18, 2026