WordPress UpdraftPlus plugin is vulnerable to a high-severity PHP object injection vulnerability. Tracked as CVE-2024-10957, the vulnerability may allow an unauthenticated attacker to delete arbitrary files, retrieve sensitive data, or execute code. According to WordPress, more than 3 million websites worldwide use the plugin.
Tag: WordPress
WordPress Releases Fix for Critical Vulnerability Impacting Anti-Spam Plugin (CVE-2024-10542)
The Spam Protection, Anti-Spam, and FireWall by CleanTalk plugin for WordPress are vulnerable to two security vulnerabilities tracked as CVE-2024-10542 and CVE-2024-10781. Successful exploitation of the vulnerabilities may allow an unauthenticated attacker to install and enable malicious plugins on vulnerable sites, ultimately leading to remote code execution.
WordPress Multilingual Plugin (WPML) CMS Server-Side Template Injection Vulnerability (CVE-2024-6386)
A critical vulnerability has been discovered in a popular WordPress plugin called WPML, tracked as CVE-2024-6368, with a CVSS score of 9.9. Successful exploitation of the vulnerability may allow an authenticated attacker to execute arbitrary code on the vulnerable server. The vulnerability was first disclosed to WordPress in June 2024 and was fully patched in … Continue reading “WordPress Multilingual Plugin (WPML) CMS Server-Side Template Injection Vulnerability (CVE-2024-6386)”
WordPress Plugins Injected Backdoor Vulnerability Impacts Multiple Sites (CVE-2024-6297)
Multiple WordPress plugins are vulnerable to a critical severity vulnerability tracked as CVE-2024-6297. The vulnerability is given a CVSS score of 10. The vulnerability impacts 13 plugins. WordPress plugins hosted on WordPress.org have been hijacked, as malicious PHP scripts have been injected into them. As per the WordPress advisory, “A malicious threat actor compromised the … Continue reading “WordPress Plugins Injected Backdoor Vulnerability Impacts Multiple Sites (CVE-2024-6297)”
WordPress LiteSpeed Cache Plugin Cross Site Scripting (XSS) Vulnerability (CVE-2023-40000)
WordPress LiteSpeed Cache plugin is vulnerable to cross-site scripting vulnerability that may lead to privilege escalation. CVE-2023-40000 may allow an unauthenticated user to steal sensitive information and elevate their privilege on the WordPress site by performing a single HTTP request.
WordPress Patches Multiple Vulnerabilities in POST SMTP Mailer Plugin (CVE-2023-6875 & CVE-2023-7027)
WordPress POST SMTP Mailer Plugin, a widely used email delivery tool, is vulnerable to two flaws that may allow a threat attacker to control a site’s authentication completely. Tracked as CVE-2023-6875 and CVE-2023-7027, the vulnerabilities have been given critical and high severity ratings, respectively. Last Month, Ulyses Saicha and Sean Murphy discovered and reported these … Continue reading “WordPress Patches Multiple Vulnerabilities in POST SMTP Mailer Plugin (CVE-2023-6875 & CVE-2023-7027)”
WordPress Backup Migration Plugin Remote Code Execution Vulnerability (CVE-2023-6553)
WordPress has released security updates to address a critical severity vulnerability Backup Migration Plugin. Tracked as CVE-2023-6553, the vulnerability may allow unauthenticated attackers to inject arbitrary PHP code, resulting in an entire site compromise. The vulnerability has been given a CVSS score of 9.8. The Nex Team has discovered the vulnerability and reported it to WordPress … Continue reading “WordPress Backup Migration Plugin Remote Code Execution Vulnerability (CVE-2023-6553)”
WordPress Releases Patch for Critical Remote Code Execution Vulnerability
Multiple versions of WordPress are affected by a remote code execution vulnerability. An attacker may chain the vulnerability with another vulnerability to run arbitrary PHP code on the target website.
WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability (CVE-2023-3460)
WordPress Ultimate Member plugin is vulnerable to a privilege escalation vulnerability that is being exploited in the wild. CVE-2023-3460 has been rated as critical with a CVSS base score of 9.8. The proof of concept for the vulnerability will be released on August 1st, 2023. Ultimate Member is a user profile and membership plugin for … Continue reading “WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability (CVE-2023-3460)”
WordPress LMS Plugin LearnPress Multiple Vulnerabilities (CVE-2022-45820, CVE-2022-45808, & CVE-2022-47615)
Multiple vulnerabilities have been discovered in the WordPress online course plugin LearnPress. The vulnerabilities are being tracked as CVE-2022-45820, CVE-2022-45808, and CVE-2022-47615. These vulnerabilities could allow attackers to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution. PatchStack discovered the vulnerability. LearnPress is a comprehensive, free-to-use learning management … Continue reading “WordPress LMS Plugin LearnPress Multiple Vulnerabilities (CVE-2022-45820, CVE-2022-45808, & CVE-2022-47615)”