June 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
North Korean APT Kimsuky aka Black Banshee – Active IOCs
October 23, 2024
Styra’s OPA Vulnerability Leaves NTLM Hashes Open to Remote Attacks
October 23, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
October 23, 2024
Styra’s OPA Vulnerability Leaves NTLM Hashes Open to Remote Attacks
October 23, 2024
Severity
High
Analysis Summary
CVE-2024-49335 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in Edush Maxim GoogleDrive folder list allows Stored XSS.This issue affects GoogleDrive folder list: from n/a through 2.2.2.
CVE-2024-49605 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in Avchat.Net AVChat Video Chat allows Stored XSS.This issue affects AVChat Video Chat: from n/a through 2.2.
CVE-2024-49629 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in Fahad Mahmood Endless Posts Navigation allows Stored XSS.This issue affects Endless Posts Navigation: from n/a through 2.2.7.
CVE-2024-47325 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows SQL Injection.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.7.
CVE-2024-49609 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brandon White Author Discussion allows Blind SQL Injection.This issue affects Author Discussion: from n/a through 0.2.2.
CVE-2024-49612 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infotuts SW Contact Form allows Blind SQL Injection.This issue affects SW Contact Form: from n/a through 1.0.
CVE-2024-49613 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lodel Geraldo Simple Code Insert Shortcode allows SQL Injection.This issue affects Simple Code Insert Shortcode: from n/a through 1.0.
CVE-2024-49614 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dan Alexander SermonAudio Widgets allows SQL Injection.This issue affects SermonAudio Widgets: from n/a through 1.9.3.
CVE-2024-49615 CVSS:8.2
Cross-Site Request Forgery (CSRF) vulnerability in Henrique Rodrigues SafetyForms allows Blind SQL Injection.This issue affects SafetyForms: from n/a through 1.0.0.
CVE-2024-49616 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nyasro Rate Own Post allows Blind SQL Injection.This issue affects Rate Own Post: from n/a through 1.0.
Impact
- Cross-Site Scripting
- Data Manipulation
Indicators of Compromise
CVE
- CVE-2024-49335
- CVE-2024-49605
- CVE-2024-49629
- CVE-2024-47325
- CVE-2024-49609
- CVE-2024-49612
- CVE-2024-49613
- CVE-2024-49614
- CVE-2024-49615
- CVE-2024-49616
Affected Vendors
WordPress
Affected Products
- Edush Maxim GoogleDrive folder list - n/a
- Avchat.net AVChat Video Chat - n/a
- Fahad Mahmood Endless Posts Navigation - n/a
- Themeisle Multiple Page Generator Plugin – MPG - n/a
- Brandon White Author Discussion - n/a
- Infotuts SW Contact Form - n/a
- Lodel Geraldo Simple Code Insert Shortcode - n/a
- Dan Alexander SermonAudio Widgets - n/a
- Henrique Rodrigues SafetyForms - n/a
- Nyasro Rate Own Post - n/a
Remediation
Upgrade to the latest version for WordPress, available from the WordPress Plugin Directory.