Request a Demo
Rewterz
RedLine Stealer – Active IOCs
October 27, 2024
Rewterz
Multiple Google Android Vulnerabilities
October 28, 2024

Multiple WordPress Plugins Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-8392 CVSS:7.2

The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.2 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

CVE-2024-9598 CVSS:8.8

AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2024-9235 CVSS:8.8

Mapster WP Maps Plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an insufficient capability check on the mapster_wp_maps_set_option_from_js() function. By sending a specially crafted request, an attacker could exploit this vulnerability to gain administrative user access to the Web site.

CVE-2024-10011 CVSS:8.1

The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions.

Impact

  • Gain Access
  • Security Bypass
  • Cross-Site Scripting

Indicators of Compromise

CVE

  • CVE-2024-8392
  • CVE-2024-9598
  • CVE-2024-9235
  • CVE-2024-10011

Affected Vendors

WordPress

Affected Products

  • delabon WordPress Post Grid Layouts with Pagination – Sogrid - *
  • Mapster WP Maps Plugin for WordPress 1.5.0
  • BuddyPress Plugin for WordPress 14.1.0
  • Accelerated Mobile Pages Plugin for WordPress 1.0.99.1

Remediation

Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.

CVE-2024-8392

CVE-2024-9598

CVE-2024-9235

CVE-2024-10011