Published On: Sep 26, 2024 11:05
Advisory No: TZCERT-SA-24-0028
Source: Wordfence
Software Affected: daily-prayer-time-for-mosques, google-website-translator, the-events-calendar, wp-easy-gallery, woo-events, wp-meta-data-filter-and-taxonomy-filter, charitable
WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely or retrieve sensitive data.
WordPress plugins daily-prayer-time-for-mosques, google-website-translator, the-events-calendar, wp-easy-gallery, woo-events, wp-meta-data-filter-and-taxonomy-filter, charitable are affected by the vulnerabilities tracked as CVE-2024-8621, CVE-2024-8514, CVE-2024-8275, CVE-2024-8436, CVE-2024-8671, CVE-2024-8624, CVE-2024-8791 with CVSS scores of 9.8, 9.8, 9.1 and 9.1. The plugins are vulnerable to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, deserialization of untrusted input from the 'prisna_import' parameter, lack of sufficient preparation on the existing SQL query, insufficient file path validation in the inc/barcode.php file, lack of sufficient preparation on the existing SQL query, and improper plugin verification of user's identity. Attackers can exploit the vulnerabilities to delete arbitrary files, retrieve sensitive data, or execute code on the affected system.
Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.