Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@wordfence.com | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| coolplugins | cryptocurrency_widgets_for_elementor | * |
| coolplugins | cool_timeline | * |
| coolplugins | events-notification-bar-addon | * |
| coolplugins | events_widgets_for_elementor_and_the_events_calendar | * |
| coolplugins | the_events_calendar_countdown_addon | * |
| coolplugins | event_single_page_builder_for_the_event_calendar | * |
| coolplugins | events_search_for_the_events_calendar | * |
| coolplugins | cryptocurrency_widgets | * |
| cryptocurrency_payment_&_donation_box_plugins | cryptocurrency_payment_&_donation_box | * |
| coolplugins | events_shortcodes_for_the_events_calendar | * |