August 28, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Lazarus aka Hidden Cobra APT Group – Active IOCs
October 22, 2024
Chinese APT41 Targets Gambling and Gaming Industry for Financial Gain – Active IOCs
October 22, 2024
Lazarus aka Hidden Cobra APT Group – Active IOCs
October 22, 2024
Chinese APT41 Targets Gambling and Gaming Industry for Financial Gain – Active IOCs
October 22, 2024
Severity
Medium
Analysis Summary
CVE-2024-49325 CVSS:4.3
Subscriber Broken Access Control in Photo Gallery Builder <= 3.0 versions.
CVE-2024-49250 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in Michael Tran Table of Contents Plus allows Cross Site Request Forgery.This issue affects Table of Contents Plus: from n/a through 2408.
CVE-2024-49272 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in WPWeb Social Auto Poster allows Cross Site Request Forgery.This issue affects Social Auto Poster: from n/a through 5.3.15.
CVE-2024-49274 CVSS:5.4
Cross-Site Request Forgery (CSRF) vulnerability in Infomaniak Staff VOD Infomaniak allows Cross Site Request Forgery.This issue affects VOD Infomaniak: from n/a through 1.5.7.
CVE-2024-49275 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in Martin Gibson IdeaPush allows Cross Site Request Forgery.This issue affects IdeaPush: from n/a through 8.69.
CVE-2024-49290 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
CVE-2024-49306 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP-buy WP Content Copy Protection & No Right Click allows Cross Site Request Forgery.This issue affects WP Content Copy Protection & No Right Click: from n/a through 3.5.9.
CVE-2024-49627 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in Noor Alam WordPress Image SEO allows Cross Site Request Forgery.This issue affects WordPress Image SEO: from n/a through 1.1.4.
CVE-2024-49628 CVSS:4.3
Cross-Site Request Forgery (CSRF) vulnerability in WhileTrue Most And Least Read Posts Widget allows Cross Site Request Forgery.This issue affects Most And Least Read Posts Widget: from n/a through 2.5.18.
CVE-2024-48049 CVSS:6.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mighty Plugins Mighty Builder allows Stored XSS.This issue affects Mighty Builder: from n/a through 1.0.2.
CVE-2024-49630 CVSS:6.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HT Plugins WP Education allows Stored XSS.This issue affects WP Education: from n/a through 1.2.8.
CVE-2024-49631 CVSS:6.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Md Abdul Kader Easy Addons for Elementor allows Stored XSS.This issue affects Easy Addons for Elementor: from n/a through 1.3.0.
Impact
- Gain Access
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-49325
- CVE-2024-49250
- CVE-2024-49272
- CVE-2024-49274
- CVE-2024-49275
- CVE-2024-49290
- CVE-2024-49306
- CVE-2024-49627
- CVE-2024-49628
- CVE-2024-48049
- CVE-2024-49630
- CVE-2024-49631
Affected Vendors
WordPress
Affected Products
- wpdiscover Photo Gallery Builder - n/a
- Michael Tran Table of Contents Plus - n/a
- WPWeb Social Auto Poster - n/a
- Infomaniak Staff VOD Infomaniak - n/a
- Martin Gibson IdeaPush - n/a
- Gora Tech LLC Cooked Pro - n/a
- Noor Alam WordPress Image SEO - n/a
- WhileTrue Most And Least Read Posts Widget - n/a
- Mighty Plugins Mighty Builder - n/a
- HT Plugins WP Education - n/a
- Md Abdul Kader Easy Addons for Elementor - n/a
Remediation
Upgrade to the latest version for WordPress, available from the WordPress Plugin Directory.