Imechapishwa: Oct 16, 2024 23:28
Advisory No: TZCERT-SA-24-0034
Source: Wordfence
Software Affected: give, nextend-social-login-pro, Ultimate_AI
WordPress is vulnerable to three critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely or retrieve sensitive data.
WordPress plugins give, nextend-social-login-pro, and Ultimate_AI are affected by the vulnerabilities tracked as CVE-2024-9634, CVE-2024-9893, and CVE-2024-9105 with CVSS scores of 9.8 each. The plugins are vulnerable due to deserialization of untrusted input from the give_company_name parameter, insufficient verification on the user being returned by the social login token, and insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. The vulnerabilities allow unauthenticated attackers to achieve remote code execution and to log in as any existing user on the site, such as an administrator if they have access to the email.
Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.