March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Backdoor Discovered in Solana’s Popular Web3.js npm Library – Active IOCs
December 5, 2024Joint Advisory Alerts of Telecom Networks Targeted in PRC-Backed Cyber Espionage
December 5, 2024Backdoor Discovered in Solana’s Popular Web3.js npm Library – Active IOCs
December 5, 2024Joint Advisory Alerts of Telecom Networks Targeted in PRC-Backed Cyber Espionage
December 5, 2024
Severity
Medium
Analysis Summary
CVE-2024-9542 CVSS:4.3
The Sky Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 via the render function in modules/content-switcher/widgets/content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
CVE-2024-10316 CVSS:4.3
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.4 in includes/templates/content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
CVE-2024-10792 CVSS:6.1
The Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This was partially patched in 3.
CVE-2024-10675 CVSS:6.1
The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-11371 CVSS:6.1
The Theater for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.18.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Impact
- Information Disclosure
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-9542
- CVE-2024-10316
- CVE-2024-10792
- CVE-2024-10675
- CVE-2024-11371
Affected Vendors
WordPress
Affected Products
- jetmonsters Stratum – Elementor Widgets - *
- cservit affiliate-toolkit – WP Affiliate Plugin with Amazon - *
- slimndap Theater for WordPress - *
- getwpfunnels Easiest Funnel Builder For WordPress and WooCommerce by WPFunnels - *
Remediation
Upgrade to the latest version, available from the WordPress Plugin Directory.