APT37 aka ScarCruft or RedEyes – Active IOCs
November 5, 2024Nokia Investigates Data Breach After Threat Actor Allegedly Stole Source Code
November 5, 2024APT37 aka ScarCruft or RedEyes – Active IOCs
November 5, 2024Nokia Investigates Data Breach After Threat Actor Allegedly Stole Source Code
November 5, 2024Severity
High
Analysis Summary
CVE-2024-47314 CVSS:7.1
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.
CVE-2024-37106 CVSS:8.2
Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.
CVE-2024-37108 CVSS:7.7
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WishList Products WishList Member X allows Path Traversal.
CVE-2024-37232 CVSS:8.8
Missing Authorization vulnerability in Hercules Design Hercules Core allows Exploiting Incorrectly Configured Access Control Security Levels.
CVE-2024-37277 CVSS:7.5
Authorization Bypass Through User-Controlled Key vulnerability in Paid Memberships Pro allows Accessing Functionality Not Properly Constrained by ACLs.
CVE-2024-37423 CVSS:8.5
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic Newspack Blocks allows Path Traversal.
CVE-2024-37470 CVSS:8.2
Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.
CVE-2024-38721 CVSS:7.1
Missing Authorization vulnerability in spider-themes EazyDocs allows Exploiting Incorrectly Configured Access Control Security Levels.
Impact
- Cross-Site Scripting
- Gain Access
Indicators of Compromise
CVE
- CVE-2024-47314
- CVE-2024-37106
- CVE-2024-37108
- CVE-2024-37232
- CVE-2024-37277
- CVE-2024-37423
- CVE-2024-37470
- CVE-2024-38721
Affected Vendors
Affected Products
- WP Sunshine Sunshine Photo Cart - n/a
- WishList Products WishList Member X - n/a
- Hercules Design Hercules Core - n/a
- Paid Memberships Pro Paid Memberships Pro - n/a
- Automattic Newspack Blocks - n/a
- WofficeIO Woffice Core - n/a
- spider-themes EazyDocs - n/a
Remediation
Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.