Published On: Feb 21, 2025 11:05
Advisory No: TZCERT-SA-25-0061
Source: Wordfence
Software Affected: ravpage, carspot, infusionsoft-official-opt-in-forms
WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.
WordPress plugins ravpage, carspot, and infusionsoft-official-opt-in-forms are affected by the vulnerabilities tracked as CVE-2024-13789, CVE-2024-12860, and CVE-2024-13725 with CVSS score 9.8 each. The plugins are vulnerable due to deserialization of untrusted input from the 'paramsv2' parameter, improperly validating a token prior to updating a user's password, and Local File Inclusion in service parameter. The vulnerabilities allow unauthenticated attackers to perform actions like delete arbitrary files, retrieve sensitive data, or execute code
Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.