Overview

WordPress is vulnerable to four critical vulnerabilities. Exploitation of these vulnerabilities makes remote code execution possible

Description

Four WordPress plugins namely osm, iq-testimonials, forms-gutenberg, and woo-product-tables are affected by the vulnerabilities tracked as CVE-2024-3604, CVE-2024-6314, CVE-2024-6313, and CVE-2024-6365 respectively. Reasons for the flaws include insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query, insufficient file type validation in the 'process_image_upload' function, user’s ability to specify the allowed file types in the 'upload' function, and due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. The attackers can exploit the vulnerabilities to execute arbitrary codes on the server.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/osm/osm-openstreetmap-602-authenticated-contributor-sql-injection
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/iq-testimonials/iq-testimonials-227-unauthenticated-arbitrary-file-upload
• 3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forms-gutenberg/gutenberg-forms-229-unauthenticated-arbitrary-file-upload
• 4. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woo-product-tables/product-table-by-wbw-201-unauthenticated-remote-code-execution