Analysis Summary

CVE-2024-44000 CVSS:9.8

LiteSpeed Technologies LiteSpeed Cache Plugin for WordPress could allow a remote attacker to gain elevated privileges on the system, caused by an HTTP response headers leak on the debug log file which also leaks the “Set-Cookie” header after the users perform a login request. By sending a specially crafted request, an attacker could exploit this vulnerability to gain Administrator level access after which malicious plugins could be uploaded and installed.

CVE-2024-5932 CVSS:10

GiveWP Plugin for WordPress could allow a remote attacker to execute arbitrary code on the system, caused by a PHP object injection vulnerability. By using deserialization of untrusted input from the 'give_title' parameter, an attacker could exploit this vulnerability to inject a PHP Object and execute arbitrary code on the system.

Impact

• Privilege Escalation
• Code Execution

Indicators of Compromise

CVE

• CVE-2024-44000
• CVE-2024-5932

Affected Vendors

Remediation

Upgrade to the latest version of Plugin for WordPress, available from the WordPress Website.

CVE-2024-44000

CVE-2024-5932