March 26, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
New Variant of FakeCall Malware Takes Over Android Devices to Make False Banking Calls – Active IOCs
November 4, 2024FreeBSD Servers Targeted by New Interlock Ransomware – Active IOCs
November 4, 2024New Variant of FakeCall Malware Takes Over Android Devices to Make False Banking Calls – Active IOCs
November 4, 2024FreeBSD Servers Targeted by New Interlock Ransomware – Active IOCs
November 4, 2024
Severity
High
Analysis Summary
CVE-2024-50504 CVSS:8.8
Incorrect Privilege Assignment vulnerability in Matt Whiteman Bulk Change Role allows Privilege Escalation.This issue affects Bulk Change Role: from n/a through 1.1.
CVE-2024-50506 CVSS:8.8
Incorrect Privilege Assignment vulnerability in Azexo Marketing Automation by AZEXO allows Privilege Escalation.
CVE-2024-50508 CVSS:7.5
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through 1.0.0.
CVE-2024-50510 CVSS:10
Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through 6.2.
CVE-2024-50511 CVSS:9.9
Unrestricted Upload of File with Dangerous Type vulnerability in David DONISA WP donimedia carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through 1.0.1.
CVE-2024-50507 CVSS:9.8
Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3.
CVE-2024-50509 CVSS:8.6
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through 1.0.0.
CVE-2024-50503 CVSS:9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck Oñate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3.
CVE-2024-10108 CVSS:7.2
The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Impact
- Privilege Escalation
- Gain Access
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-50504
- CVE-2024-50506
- CVE-2024-50508
- CVE-2024-50510
- CVE-2024-50511
- CVE-2024-50507
- CVE-2024-50509
- CVE-2024-50503
- CVE-2024-10108
Affected Vendors
WordPress
Affected Products
- Matt Whiteman Bulk Change Role - n/a
- Azexo Marketing Automation by AZEXO - n/a
- Chetan Khandla Woocommerce Product Design - n/a
- Web and Print Design AR For Woocommerce - n/a
- David DONISA WP donimedia carousel - n/a
- Daniel Schmitzer DS.DownloadList - n/a
- Deryck Oñate User Toolkit - n/a
- gwin WPAdverts – Classifieds Plugin - *
Remediation
Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.