Multiple WordPress plugins are vulnerable to a critical severity vulnerability tracked as CVE-2024-6297. The vulnerability is given a CVSS score of 10. The vulnerability impacts 13 plugins. WordPress plugins hosted on WordPress.org have been hijacked, as malicious PHP scripts have been injected into them. As per the WordPress advisory, “A malicious threat actor compromised the … Continue reading “WordPress Plugins Injected Backdoor Vulnerability Impacts Multiple (CVE-2024-6297)”
Tag: WordPress
WordPress LiteSpeed Cache Plugin Cross Site Scripting (XSS) Vulnerability (CVE-2023-40000)
WordPress LiteSpeed Cache plugin is vulnerable to cross-site scripting vulnerability that may lead to privilege escalation. CVE-2023-40000 may allow an unauthenticated user to steal sensitive information and elevate their privilege on the WordPress site by performing a single HTTP request.
WordPress Patches Multiple Vulnerabilities in POST SMTP Mailer Plugin (CVE-2023-6875 & CVE-2023-7027)
WordPress POST SMTP Mailer Plugin, a widely used email delivery tool, is vulnerable to two flaws that may allow a threat attacker to control a site’s authentication completely. Tracked as CVE-2023-6875 and CVE-2023-7027, the vulnerabilities have been given critical and high severity ratings, respectively. Last Month, Ulyses Saicha and Sean Murphy discovered and reported these … Continue reading “WordPress Patches Multiple Vulnerabilities in POST SMTP Mailer Plugin (CVE-2023-6875 & CVE-2023-7027)”
WordPress Backup Migration Plugin Remote Code Execution Vulnerability (CVE-2023-6553)
WordPress has released security updates to address a critical severity vulnerability Backup Migration Plugin. Tracked as CVE-2023-6553, the vulnerability may allow unauthenticated attackers to inject arbitrary PHP code, resulting in an entire site compromise. The vulnerability has been given a CVSS score of 9.8. The Nex Team has discovered the vulnerability and reported it to WordPress … Continue reading “WordPress Backup Migration Plugin Remote Code Execution Vulnerability (CVE-2023-6553)”
WordPress Releases Patch for Critical Remote Code Execution Vulnerability
Multiple versions of WordPress are affected by a remote code execution vulnerability. An attacker may chain the vulnerability with another vulnerability to run arbitrary PHP code on the target website.
WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability (CVE-2023-3460)
WordPress Ultimate Member plugin is vulnerable to a privilege escalation vulnerability that is being exploited in the wild. CVE-2023-3460 has been rated as critical with a CVSS base score of 9.8. The proof of concept for the vulnerability will be released on August 1st, 2023. Ultimate Member is a user profile and membership plugin for … Continue reading “WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability (CVE-2023-3460)”
WordPress LMS Plugin LearnPress Multiple Vulnerabilities (CVE-2022-45820, CVE-2022-45808, & CVE-2022-47615)
Multiple vulnerabilities have been discovered in the WordPress online course plugin LearnPress. The vulnerabilities are being tracked as CVE-2022-45820, CVE-2022-45808, and CVE-2022-47615. These vulnerabilities could allow attackers to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution. PatchStack discovered the vulnerability. LearnPress is a comprehensive, free-to-use learning management … Continue reading “WordPress LMS Plugin LearnPress Multiple Vulnerabilities (CVE-2022-45820, CVE-2022-45808, & CVE-2022-47615)”
WordPress Plugin Starter Templates Stored Cross-Site Scripting (XSS) Vulnerability Impacts Over Million Sites (CVE-2021-42360)
Astra Theme’s WordPress plugin fixed an XSS vulnerability that could lead to total site takeover and attacks on visitors. A vulnerability in the Starter Templates – Elementor, Gutenberg, and Beaver Builder Templates plugin can allow contributor-level users to entirely replace any page on the site and implant malicious JavaScript at any time. This vulnerability was first discovered … Continue reading “WordPress Plugin Starter Templates Stored Cross-Site Scripting (XSS) Vulnerability Impacts Over Million Sites (CVE-2021-42360)”
WordPress File Manager Plugin Remote Code Execution Vulnerability
Overview: On 1st September 2020, researchers at Wordfence published a blog regarding a remote code execution vulnerability in WordPress File Manager plugin. Successful exploitation of this vulnerability allows unauthenticated remote attackers to execute commands and upload malicious files and shells on a target website. The vulnerability currently does not have any CVE assigned to it … Continue reading “WordPress File Manager Plugin Remote Code Execution Vulnerability”
Zero-days in WordPress Plugins 2020
Summary: During the past two weeks, we’ve seen a resurgence in attacks against WordPress plugins. Most of them have been briefed in below section. Description: Lets try to understand those 8 vulnerable plugins one by one. Duplicator Duplicator is one of the most popular plugins on the WordPress portal, with more than one million installs … Continue reading “Zero-days in WordPress Plugins 2020”
