June 23, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
RedLine Stealer – Active IOCs
October 27, 2024
Multiple Google Android Vulnerabilities
October 28, 2024
RedLine Stealer – Active IOCs
October 27, 2024
Multiple Google Android Vulnerabilities
October 28, 2024
Severity
High
Analysis Summary
CVE-2024-8392 CVSS:7.2
The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.2 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
CVE-2024-9598 CVSS:8.8
AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-9235 CVSS:8.8
Mapster WP Maps Plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an insufficient capability check on the mapster_wp_maps_set_option_from_js() function. By sending a specially crafted request, an attacker could exploit this vulnerability to gain administrative user access to the Web site.
CVE-2024-10011 CVSS:8.1
The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions.
Impact
- Gain Access
- Security Bypass
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-8392
- CVE-2024-9598
- CVE-2024-9235
- CVE-2024-10011
Affected Vendors
WordPress
Affected Products
- delabon WordPress Post Grid Layouts with Pagination – Sogrid - *
- Mapster WP Maps Plugin for WordPress 1.5.0
- BuddyPress Plugin for WordPress 14.1.0
- Accelerated Mobile Pages Plugin for WordPress 1.0.99.1
Remediation
Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.