July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Cisco Products Vulnerabilities
October 25, 2024Threat Actor Targets Several Industries in Pakistan and Hong Kong – Active IOCs
October 25, 2024Multiple Cisco Products Vulnerabilities
October 25, 2024Threat Actor Targets Several Industries in Pakistan and Hong Kong – Active IOCs
October 25, 2024
Severity
Medium
Analysis Summary
CVE-2024-49683 CVSS:5.3
Missing Authorization vulnerability in Schema & Structured Data for WP & AMP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.3.5.
CVE-2024-49682 CVSS:4.7
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership allows Phishing.This issue affects Simple Membership: from n/a through 4.5.3.
CVE-2024-8959 CVSS:6.4
The WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2024-8667 CVSS:4.3
The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft.
CVE-2024-49335 CVSS:8.6
Cross-Site Request Forgery (CSRF) vulnerability in Edush Maxim GoogleDrive folder list allows Stored XSS.This issue affects GoogleDrive folder list: from n/a through 2.2.2.
CVE-2024-49619 CVSS:8.4
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0.
Impact
- Gain Access
- Denial of Service
- Data Manipulation
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-49683
- CVE-2024-49682
- CVE-2024-8959
- CVE-2024-8667
- CVE-2024-49335
- CVE-2024-49619
Affected Vendors
WordPress
Affected Products
- Edush Maxim GoogleDrive folder list - n/a
- Acespritech Solutions Pvt. Ltd. Social Link Groups - n/a
- Schema and Structured Data for WP and AMP Schema and Structured Data for WP and AMP - n/a
- nlemsieh HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress and WooCommerce - *
Remediation
Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.