Critical Vulnerabilities affecting WordPress (CVE-2024-4544, CVE-2024-0867, CVE-2024-1974)

Advisory No: TZCERT/SA/2024/05/24-2

Date of First Release: 24^th May 2024

Source: Wordfence

Software Affected: pie-register-social-site, email-log and ht-mega-for-elementor,

Overview:

WordPress is vulnerable to three critical vulnerabilities. The attackers can leverage the vulnerabilities to take control of the affected system.

Description:

Three WordPress plugins namely pie-register-social-site, email-log and ht-mega-for-elementor as affected by the vulnerabilities tracked as CVE-2024-4544, CVE-2024-0867, and CVE-2024-1974 respectively. Reasons for the flaws include insufficient verification on the user being supplied during a social login through the plugin, and the absence of a capability check among others. The attackers can exploit the vulnerabilities to gain access to the vulnerable system and access to sensitive information.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to gain access to the vulnerable system

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pie-register-social-site/pie-register-social-sites-login-add-on-177-authentication-bypass
2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/email-log/email-log-248-unauthenticated-hook-injection
3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ht-mega-for-elementor/ht-mega-absolute-addons-for-elementor-246-authenticated-contributor-directory-traversal