Overview

WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.

Description

WordPress plugins ravpage, carspot, and infusionsoft-official-opt-in-forms are affected by the vulnerabilities tracked as CVE-2024-13789, CVE-2024-12860, and CVE-2024-13725 with CVSS score 9.8 each. The plugins are vulnerable due to deserialization of untrusted input from the 'paramsv2' parameter, improperly validating a token prior to updating a user's password, and Local File Inclusion in service parameter. The vulnerabilities allow unauthenticated attackers to perform actions like delete arbitrary files, retrieve sensitive data, or execute code

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ravpage/ravpage-231-php-object-injection
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/carspot/carspot-dealership-wordpress-classified-theme-243-unauthenticated-arbitrary-password-resetaccount-takeover
• 3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/infusionsoft-official-opt-in-forms/keap-official-opt-in-forms-201-unauthenticated-limited-local-file-inclusion