Overview

WordPress CMS is vulnerable to two (2) critical vulnerabilities. The attackers can leverage the vulnerabilities to execute code and gain access to sensitive information.

Description

Two plugins namely Hotel Booking Lite, LearnPress are affected by critical vulnerabilities both rated at 9.8 and tracked as CVE-2024-4413 and CVE-2024-4434. The flaws exist as a result of PHP Object Injection in Hotel Booking Lite plugin, and due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query for LearnPress . The attackers can exploit the vulnerability to execute codes and gain access to sensitive information respectively.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system and gain access to sensitive information.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/motopress-hotel-booking-lite/hotel-booking-lite-4111-unauthenticated-php-object-injection
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-4265-unauthenticated-time-based-sql-injection