Multiple Critical Vulnerabilities in WordPress (CVE-2024-8621, CVE-2024-8514, CVE-2024-8275, CVE-2024-8436, CVE-2024-8671, CVE-2024-8624, CVE-2024-8791)

Imechapishwa: Sep 26, 2024 11:05

Advisory No: TZCERT-SA-24-0028

Source: Wordfence

Software Affected: daily-prayer-time-for-mosques, google-website-translator, the-events-calendar, wp-easy-gallery, woo-events, wp-meta-data-filter-and-taxonomy-filter, charitable

Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely or retrieve sensitive data.

Description

WordPress plugins daily-prayer-time-for-mosques, google-website-translator, the-events-calendar, wp-easy-gallery, woo-events, wp-meta-data-filter-and-taxonomy-filter, charitable are affected by the vulnerabilities tracked as CVE-2024-8621, CVE-2024-8514, CVE-2024-8275, CVE-2024-8436, CVE-2024-8671, CVE-2024-8624, CVE-2024-8791 with CVSS scores of 9.8, 9.8, 9.1 and 9.1. The plugins are vulnerable to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, deserialization of untrusted input from the 'prisna_import' parameter, lack of sufficient preparation on the existing SQL query, insufficient file path validation in the inc/barcode.php file, lack of sufficient preparation on the existing SQL query, and improper plugin verification of user's identity. Attackers can exploit the vulnerabilities to delete arbitrary files, retrieve sensitive data, or execute code on the affected system.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio