Request a Demo
Rewterz
PatchWork APT Threat Actor Group – Active IOCs
October 7, 2024
Rewterz
Emotet Malware – Active IOCs
October 8, 2024

Multiple WordPress Plugin Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-44017 CVSS:7.5

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in MinHyeong Lim MH Board allows PHP Local File Inclusion.This issue affects MH Board: from n/a through 1.3.2.1.

CVE-2024-44030 CVSS:7.2

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mestres do WP Checkout Mestres WP.This issue affects Checkout Mestres WP: from n/a through 8.6.

CVE-2024-47335 CVSS:7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bit Form Bit Form – Contact Form Plugin allows SQL Injection.This issue affects Bit Form – Contact Form Plugin: from n/a through 2.13.11.

CVE-2024-47338 CVSS:7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExpertsio WPExperts Square For GiveWP allows SQL Injection.This issue affects WPExperts Square For GiveWP: from n/a through 1.3.

CVE-2024-44028 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Nicejob NiceJob allows Stored XSS.This issue affects NiceJob: from n/a before 3.6.5.

CVE-2024-45454 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Reflected XSS.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.121.

CVE-2024-47300 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CubeWP CubeWP Forms – All-in-One Form Builder allows Stored XSS.This issue affects CubeWP Forms – All-in-One Form Builder: from n/a through 1.1.1.

CVE-2024-47306 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Copy Content Protection Team Secure Copy Content Protection and Content Locking allows Stored XSS.This issue affects Secure Copy Content Protection and Content Locking: from n/a through 4.2.3.

CVE-2024-47320 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WS Form WS Form LITE allows Stored XSS.This issue affects WS Form LITE: from n/a through 1.9.238.

CVE-2024-47322 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ex-Themes WP Timeline – Vertical and Horizontal timeline plugin allows Reflected XSS.This issue affects WP Timeline – Vertical and Horizontal timeline plugin: from n/a through 3.6.7.

CVE-2024-47326 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ILLID Share This Image allows Reflected XSS.This issue affects Share This Image: from n/a through 2.01.

CVE-2024-47333 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Team Tangible Loops & Logic allows Reflected XSS.This issue affects Loops & Logic: from n/a through 4.1.4.

CVE-2024-47339 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in James Ward WP Mail Catcher allows Reflected XSS.This issue affects WP Mail Catcher: from n/a through 2.1.9.

CVE-2024-47346 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tribulant Newsletters allows Reflected XSS.This issue affects Newsletters: from n/a through 4.9.9.1.

Impact

  • Gain Access
  • Data Manipulation
  • Cross-Site Scripting

Indicators of Compromise

CVE

  • CVE-2024-44017
  • CVE-2024-44030
  • CVE-2024-47335
  • CVE-2024-47338
  • CVE-2024-44028
  • CVE-2024-45454
  • CVE-2024-47300
  • CVE-2024-47306
  • CVE-2024-47320
  • CVE-2024-47322
  • CVE-2024-47326
  • CVE-2024-47333
  • CVE-2024-47339
  • CVE-2024-47346

Affected Vendors

WordPress

Affected Products

  • MinHyeong Lim MH Board - n/a
  • Mestres do WP Checkout Mestres WP - n/a
  • Bit Form – Contact Form Plugin - n/a
  • WPExperts Square For GiveWP - n/a
  • NiceJob - n/a
  • CubeWP Forms – All-in-One Form Builder - n/a
  • Copy Content Protection Team Secure Copy Content Protection and Content Locking - n/a
  • WS Form LITE - n/a
  • Ex-Themes WP Timeline – Vertical and Horizontal timeline plugin - n/a
  • ILLID Share This Image - n/a
  • James Ward WP Mail Catcher - n/a
  • Tribulant Newsletters - n/a
  • Team Tangible Loops and Logic - n/a

Remediation

Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.

CVE-2024-44017

CVE-2024-44030

CVE-2024-47335

CVE-2024-47338

CVE-2024-44028

CVE-2024-45454

CVE-2024-47300

CVE-2024-47306

CVE-2024-47320

CVE-2024-47322

CVE-2024-47326

CVE-2024-47333

CVE-2024-47339

CVE-2024-47346