Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.

Description

WordPress plugins bootstrap-ultimate, and adforest are affected by the vulnerabilities tracked as CVE-2024-13545, and CVE-2024-12857 with a CVSS score of 9.8 each. The plugins are vulnerable due to the flaw leading to Local File Inclusion; and improper verification of the user's identity before logging them in as that user. The vulnerabilities allow unauthenticated attackers to achieve code execution, and to authenticate as any user as long as they have configured OTP login by phone number.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/bootstrap-ultimate/bootstrap-ultimate-149-unauthenticated-limited-local-file-inclusion
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/adforest/adforest-518-authentication-bypass