Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely.

Description

WordPress plugins gpt3-ai-content-generator, and w3speedster-wp are affected by the vulnerabilities tracked as CVE-2024-10392, and CVE-2024-8512 with CVSS scores of 9.8 and 9.1. The plugins are vulnerable due to missing file type validation in the 'handle_image_upload' function and the plugin passing user-supplied input to eval(). The vulnerabilities allow attackers to achieve remote code execution.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gpt3-ai-content-generator/ai-power-complete-ai-pack-1889-unauthenticated-arbitrary-file-upload
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/w3speedster-wp/w3speedster-726-authenticated-administrator-remote-code-execution