June 23, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Cisco Investigates Data Breach Following the Selling of Stolen Data on Dark Web Forum
October 15, 2024
Nation-State Threat Actors Leverage Ivanti CSA Vulnerabilities to Gain Access to Networks – Active IOCs
October 15, 2024
Cisco Investigates Data Breach Following the Selling of Stolen Data on Dark Web Forum
October 15, 2024
Nation-State Threat Actors Leverage Ivanti CSA Vulnerabilities to Gain Access to Networks – Active IOCs
October 15, 2024
Severity
High
Analysis Summary
CVE-2024-9047 CVSS:9.8
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
CVE-2024-48041 CVSS:6.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through 4.3.9.
CVE-2024-48040 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tainacan.Org Tainacan allows SQL Injection.This issue affects Tainacan: from n/a through 0.21.8.
CVE-2024-48033 CVSS:9.8
Deserialization of Untrusted Data vulnerability in Elie Burstein, Baptiste Gourdin Talkback allows Object Injection.This issue affects Talkback: from n/a through 1.0.
CVE-2024-47331 CVSS:9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NinjaTeam Multi Step for Contact Form allows SQL Injection.This issue affects Multi Step for Contact Form: from n/a through 2.7.7.
CVE-2024-48020 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Revmakx Backup and Staging by WP Time Capsule allows SQL Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21.
Impact
- Gain Access
- Cross-Site Scripting
- Data Manipulation
Indicators of Compromise
CVE
- CVE-2024-9047
- CVE-2024-48041
- CVE-2024-48040
- CVE-2024-48033
- CVE-2024-47331
- CVE-2024-48020
Affected Vendors
WordPress
Affected Products
- nickboss WordPress File Upload - *
- CreativeMindsSolutions CM Tooltip Glossary - n/a
- Tainacan.org Tainacan - n/a
- NinjaTeam Multi Step for Contact Form - n/a
- Revmakx Backup and Staging by WP Time Capsule - n/a
Remediation
Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.