Advisory No: TZCERT/SA/2024/05/24-2
Date of First Release: 24th May 2024
Source: Wordfence
Software Affected: pie-register-social-site, email-log and ht-mega-for-elementor,
Overview:
WordPress is vulnerable to three critical vulnerabilities. The attackers can leverage the vulnerabilities to take control of the affected system.
Description:
Three WordPress plugins namely pie-register-social-site, email-log and ht-mega-for-elementor as affected by the vulnerabilities tracked as CVE-2024-4544, CVE-2024-0867, and CVE-2024-1974 respectively. Reasons for the flaws include insufficient verification on the user being supplied during a social login through the plugin, and the absence of a capability check among others. The attackers can exploit the vulnerabilities to gain access to the vulnerable system and access to sensitive information.
Impact:
Successful exploitation of these vulnerabilities may allow an attacker to gain access to the vulnerable system
Solution:
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
References:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pie-register-social-site/pie-register-social-sites-login-add-on-177-authentication-bypass
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/email-log/email-log-248-unauthenticated-hook-injection
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ht-mega-for-elementor/ht-mega-absolute-addons-for-elementor-246-authenticated-contributor-directory-traversal