Multiple WordPress Plugins Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-50504 CVSS:8.8

Incorrect Privilege Assignment vulnerability in Matt Whiteman Bulk Change Role allows Privilege Escalation.This issue affects Bulk Change Role: from n/a through 1.1.

CVE-2024-50506 CVSS:8.8

Incorrect Privilege Assignment vulnerability in Azexo Marketing Automation by AZEXO allows Privilege Escalation.

CVE-2024-50508 CVSS:7.5

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through 1.0.0.

CVE-2024-50510 CVSS:10

Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through 6.2.

CVE-2024-50511 CVSS:9.9

Unrestricted Upload of File with Dangerous Type vulnerability in David DONISA WP donimedia carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through 1.0.1.

CVE-2024-50507 CVSS:9.8

Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3.

CVE-2024-50509 CVSS:8.6

CVE-2024-50503 CVSS:9.8

Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck Oñate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3.

CVE-2024-10108 CVSS:7.2

The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Impact