Request a Demo
Rewterz
Donot APT Group – Active IOCs
October 21, 2024
Rewterz
Threat Actors Use Roundcube Webmail XSS Flaw for Stealing Credentials – Active IOCs
October 21, 2024

Multiple WordPress Plugin Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-49248 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Igor Funa Ad Inserter allows Reflected XSS.This issue affects Ad Inserter: from n/a through 2.7.37.

CVE-2024-49255 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Daniele Alessandra Da Reactions allows Stored XSS.This issue affects Da Reactions: from n/a through 5.1.5.

CVE-2024-49259 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in NicheAddons Primary Addon for Elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through 1.5.8.

CVE-2024-49261 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LOOS,Inc. Arkhe Blocks allows Stored XSS.This issue affects Arkhe Blocks: from n/a through 2.23.0.

CVE-2024-49262 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wepic Country Flags for Elementor allows Stored XSS.This issue affects Country Flags for Elementor: from n/a through 1.0.1.

CVE-2024-49263 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Takashi Matsuyama My Favorites allows Stored XSS.This issue affects My Favorites: from n/a through 1.4.1.

CVE-2024-49264 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in NicheAddons Events Addon for Elementor allows Stored XSS.This issue affects Events Addon for Elementor: from n/a through 2.2.0.

CVE-2024-49276 CVSS:7.1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themis Solutions, Inc. Clio Grow allows Reflected XSS.This issue affects Clio Grow: from n/a through 1.0.2.

CVE-2024-49277 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodeAstrology Team UltraAddons Elementor Lite allows Stored XSS.This issue affects UltraAddons Elementor Lite: from n/a through 1.1.8.

CVE-2024-49278 CVSS:6.5

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in omnipressteam Omnipress allows Stored XSS.This issue affects Omnipress: from n/a through 1.4.3.

Impact

  • Cross Site Scripting

Indicators of Compromise

CVE

  • CVE-2024-49248
  • CVE-2024-49255
  • CVE-2024-49259
  • CVE-2024-49261
  • CVE-2024-49262
  • CVE-2024-49263
  • CVE-2024-49264
  • CVE-2024-49276
  • CVE-2024-49277
  • CVE-2024-49278

Affected Vendors

WordPress

Affected Products

  • Igor Funa Ad Inserter - n/a
  • Daniele Alessandra Da Reactions - n/a
  • wepic Country Flags for Elementor - n/a
  • Takashi Matsuyama My Favorites - n/a
  • NicheAddons Events Addon for Elementor - n/a
  • CodeAstrology Team UltraAddons Elementor Lite - n/a
  • NicheAddons Primary Addon for Elementor - n/a

Remediation

Upgrade to the latest version for WordPress, available from the WordPress Plugin Directory.

CVE-2024-49248

CVE-2024-49255

CVE-2024-49259

CVE-2024-49261

CVE-2024-49262

CVE-2024-49263

CVE-2024-49264

CVE-2024-49276

CVE-2024-49277

CVE-2024-49278