Critical Vulnerabilities in WordPress (CVE-2024-13789, CVE-2024-12860, CVE-2024-13725)

Published On: Feb 21, 2025 11:05

Advisory No: TZCERT-SA-25-0061

Source: Wordfence

Software Affected: ravpage, carspot, infusionsoft-official-opt-in-forms

Overview

WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.

Description

WordPress plugins ravpage, carspot, and infusionsoft-official-opt-in-forms are affected by the vulnerabilities tracked as CVE-2024-13789, CVE-2024-12860, and CVE-2024-13725 with CVSS score 9.8 each. The plugins are vulnerable due to deserialization of untrusted input from the 'paramsv2' parameter, improperly validating a token prior to updating a user's password, and Local File Inclusion in service parameter. The vulnerabilities allow unauthenticated attackers to perform actions like delete arbitrary files, retrieve sensitive data, or execute code

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident