Two Critical Vulnerabilities in WordPress (CVE-2024-8615, CVE-2024-9307)

Imechapishwa: Nov 08, 2024 22:42

Advisory No: TZCERT-SA-24-0043

Source: Wordfence

Software Affected: wp-jobsearch, mfolio-lite

Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely.

Description

WordPress plugins wp-jobsearch, and mfolio-lite are affected by the vulnerabilities tracked as CVE-2024-8615, and CVE-2024-9307 with CVSS scores of 10 and 9.9 respectively. The plugins are vulnerable due to missing file type validation in the jobsearch_location_load_excel_file_callback() function, and a missing capability check. The vulnerabilities allow attackers to achieve remote code execution on affected systems.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio