Auth bypass in Blackworks1 Cryptocurrency Donation Box – Bitcoin & Crypto Donations
CVE-2022-4950
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
Vulnerability class: Broken Access Control
EPSS: 0.014 (68.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Blackworks1 Cryptocurrency Donation Box – Bitcoin & Crypto Donations — versions 0
- Coolplugins Cool_timeline
- Coolplugins Cryptocurrency_widgets
- Coolplugins Cryptocurrency Widgets For Elementor — versions 0
- Coolplugins Cryptocurrency_widgets_for_elementor
- Coolplugins Event_single_page_builder_for_the_event_calendar
- Coolplugins Events-notification-bar-addon
- Coolplugins Events_search_for_the_events_calendar
- Coolplugins Events_shortcodes_for_the_events_calendar
- Coolplugins Events Widgets For Elementor And The Calendar — versions 0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@wordfence.com (Third Party Advisory, Broken Link)
- security@wordfence.com (Patch)
- security@wordfence.com (Third Party Advisory)
Frequently asked questions
- What is CVE-2022-4950?
- CVE-2022-4950 is a high-severity vulnerability in Blackworks1 Cryptocurrency Donation Box – Bitcoin & Crypto Donations, classified under Missing Authorization. CVSS score: 8.8/10. Published 2023-06-07.
- How severe is CVE-2022-4950?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2022-4950 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.