Analysis Summary

CVE-2024-5325 CVSS:8.8

EForm Vibes Plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements using the 'fv_export_data' parameter , which could allow the attacker to view, add, modify, or delete information in the back-end database.

CVE-2024-6310 CVSS:8.8

Advanced AJAX Page Loader Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2024-6309 CVSS:8.8

Attachment File Icons Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Impact

• Data Manipulation
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-5325
• CVE-2024-6310
• CVE-2024-6309

Affected Vendors

Remediation

Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.

CVE-2024-5325

CVE-2024-6310

CVE-2024-6309