June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
APT23 Targets Middle Eastern Human Rights Entities – Active IOCs
September 6, 2024
Critical Vulnerability Discovered in WordPress LiteSpeed Cache Plugin
September 6, 2024
APT23 Targets Middle Eastern Human Rights Entities – Active IOCs
September 6, 2024
Critical Vulnerability Discovered in WordPress LiteSpeed Cache Plugin
September 6, 2024
Severity
High
Analysis Summary
CVE-2024-1094 CVSS:5.3
Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability check on the make_staff() function. By sending a specially crafted request, an attacker could exploit this vulnerability to grant users staff permissions.
CVE-2023-7264 CVSS:8.1
Build App Online plugin for WordPress could provide weaker than expected security, caused by a weak password reset mechanism. A remote attacker could exploit this vulnerability to reset the password of arbitrary users.
CVE-2024-5932 CVSS:10
GiveWP Plugin for WordPress could allow a remote attacker to execute arbitrary code on the system, caused by a PHP object injection vulnerability. By using deserialization of untrusted input from the 'give_title' parameter, an attacker could exploit this vulnerability to inject a PHP Object and execute arbitrary code on the system.
Impact
- Cross-Site Scripting
- Gain Access
- Code Execution
Indicators of Compromise
CVE
- CVE-2024-1094
- CVE-2023-7264
- CVE-2024-5932
Affected Vendors
WordPress
Affected Products
- Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin for WordPress 1.0.21
- Build App Online plugin for WordPress 1.0.21
- GiveWP Plugin for WordPress 3.14.1
Remediation
Upgrade to the latest version of plugin for WordPress, available from the WordPress Plugin Directory.
