Request a Demo
Rewterz
Multiple IBM WebSphere Vulnerabilities
April 18, 2024
Rewterz
Increased Brute-Force Attacks Against VPN and SSH Services Globally – Active IOCs
April 18, 2024

Multiple WordPress Plugins Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-31421 CVSS:4.3

Popup by Supsystic Plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by broken access control refer to missing authorization. By sending a specially crafted request, an attacker could exploit this vulnerability to edit posts without permission.

CVE-2024-31432 CVSS:5.3

Restrict Content Plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by broken access control. By sending a specially crafted request, an attacker could exploit this vulnerability to edit posts without permission.

CVE-2023-52144 CVSS:5.5

Product Feed Manager plugin for WordPress could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially crafted request to modify arbitrary files on the system.

CVE-2024-32454 CVSS:4.4

WordPress Wappointment plugin for WordPress is vulnerable to server-side request forgery. A remote authenticated attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.

CVE-2024-31372 CVSS:4.3

No-Bot Registration Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2024-31371 CVSS:4.3

WP Event Aggregator Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2024-3054 CVSS:7.2

WPvivid Backup & Migration Plugin for WordPress could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a PHAR deserialization flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to delete arbitrary files, retrieve sensitive data, or execute code.

Impact

  • Security Bypass
  • Data Manipulation
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2024-31421
  • CVE-2024-31432
  • CVE-2023-52144
  • CVE-2024-32454
  • CVE-2024-31372
  • CVE-2024-31371
  • CVE-2024-3054

Affected Vendors

WordPress

Affected Products

  • Popup by Supsystic Plugin for WordPress 1.10.27
  • Restrict Content Plugin for WordPress 3.2.8
  • Product Feed Manager Plugin for WordPress 7.3.15
  • Wappointment plugin for WordPress 2.6.0
  • No-Bot Registration Plugin for WordPress 1.9.1
  • Event Aggregator Plugin for WordPress 1.7.6
  • WPvivid Backup & Migration Plugin for WordPress 0.9.99

Remediation

Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.

CVE-2024-31421

CVE-2024-31432

CVE-2023-52144

CVE-2024-32454

CVE-2024-31372

CVE-2024-31371

CVE-2024-3054