Request a Demo
Rewterz
North Korean APT Kimsuky aka Black Banshee – Active IOCs
October 23, 2024
Rewterz
Styra’s OPA Vulnerability Leaves NTLM Hashes Open to Remote Attacks
October 23, 2024

Multiple WordPress Plugins Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-49335 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Edush Maxim GoogleDrive folder list allows Stored XSS.This issue affects GoogleDrive folder list: from n/a through 2.2.2.

CVE-2024-49605 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Avchat.Net AVChat Video Chat allows Stored XSS.This issue affects AVChat Video Chat: from n/a through 2.2.

CVE-2024-49629 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Fahad Mahmood Endless Posts Navigation allows Stored XSS.This issue affects Endless Posts Navigation: from n/a through 2.2.7.

CVE-2024-47325 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows SQL Injection.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.7.

CVE-2024-49609 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brandon White Author Discussion allows Blind SQL Injection.This issue affects Author Discussion: from n/a through 0.2.2.

CVE-2024-49612 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infotuts SW Contact Form allows Blind SQL Injection.This issue affects SW Contact Form: from n/a through 1.0.

CVE-2024-49613 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lodel Geraldo Simple Code Insert Shortcode allows SQL Injection.This issue affects Simple Code Insert Shortcode: from n/a through 1.0.

CVE-2024-49614 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dan Alexander SermonAudio Widgets allows SQL Injection.This issue affects SermonAudio Widgets: from n/a through 1.9.3.

CVE-2024-49615 CVSS:8.2

Cross-Site Request Forgery (CSRF) vulnerability in Henrique Rodrigues SafetyForms allows Blind SQL Injection.This issue affects SafetyForms: from n/a through 1.0.0.

CVE-2024-49616 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nyasro Rate Own Post allows Blind SQL Injection.This issue affects Rate Own Post: from n/a through 1.0.

Impact

  • Cross-Site Scripting
  • Data Manipulation

Indicators of Compromise

CVE

  • CVE-2024-49335
  • CVE-2024-49605
  • CVE-2024-49629
  • CVE-2024-47325
  • CVE-2024-49609
  • CVE-2024-49612
  • CVE-2024-49613
  • CVE-2024-49614
  • CVE-2024-49615
  • CVE-2024-49616

Affected Vendors

WordPress

Affected Products

  • Edush Maxim GoogleDrive folder list - n/a
  • Avchat.net AVChat Video Chat - n/a
  • Fahad Mahmood Endless Posts Navigation - n/a
  • Themeisle Multiple Page Generator Plugin – MPG - n/a
  • Brandon White Author Discussion - n/a
  • Infotuts SW Contact Form - n/a
  • Lodel Geraldo Simple Code Insert Shortcode - n/a
  • Dan Alexander SermonAudio Widgets - n/a
  • Henrique Rodrigues SafetyForms - n/a
  • Nyasro Rate Own Post - n/a

Remediation

Upgrade to the latest version for WordPress, available from the WordPress Plugin Directory.

CVE-2024-49335

CVE-2024-49605

CVE-2024-49629

CVE-2024-47325

CVE-2024-49609

CVE-2024-49612

CVE-2024-49613

CVE-2024-49614

CVE-2024-49615

CVE-2024-49616