Severity
High
Analysis Summary
CVE-2024-31390 CVSS:9.9
Soflyy Breakdance plugin for WordPress could allow a remote authenticated attacker to execute arbitrary code on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-3136 CVSS:9.8
MasterStudy LMS Plugin for WordPress could allow a remote attacker to include arbitrary files. A remote attacker could send a specially crafted URL request to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server. Note: In order to exploit this vulnerability to execute arbitrary code using a local file, the attacker would first be required to upload a malicious file or inject arbitrary commands into an existing file.
Impact
- Gain Access
- Code Execution
- Data Manipulation
Indicators of Compromise
CVE
- CVE-2024-31390
- CVE-2024-3136
Affected Vendors
Affected Products
- Soflyy Breakdance plugin for WordPress 1.7.0
- MasterStudy LMS WordPress Plugin for WordPress 3.3.3
Remediation
Upgrade to the latest version WordPress Plugin, available from the WordPress Plugin Directory.