

Threat Actors in Supply Chain Attack Stole 390,000 WordPress Accounts – Active IOCs
December 16, 2024
Bitter APT Targeting Pakistan – Active IOCs
December 16, 2024
Threat Actors in Supply Chain Attack Stole 390,000 WordPress Accounts – Active IOCs
December 16, 2024
Bitter APT Targeting Pakistan – Active IOCs
December 16, 2024Severity
High
Analysis Summary
CVE-2024-54351 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in Tom Landis Fancy Roller Scroller allows Stored XSS.This issue affects Fancy Roller Scroller: from n/a through 1.4.0.
CVE-2024-54347 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BAKKBONE Australia FloristPress allows Reflected XSS.This issue affects FloristPress: from n/a through 7.2.0.
CVE-2024-54344 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood WP Quick Shop allows Reflected XSS.This issue affects WP Quick Shop: from n/a through 1.3.1.
CVE-2024-54342 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in STAGGS Staggs Product Configurator for WooCommerce allows Reflected XSS.This issue affects Staggs Product Configurator for WooCommerce: from n/a through 2.0.0.
CVE-2024-54343 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Connect Contact Form 7 to Constant Contact allows Reflected XSS.This issue affects Connect Contact Form 7 to Constant Contact: from n/a through 1.4.
CVE-2024-54341 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LabelGrid LabelGrid Tools allows Reflected XSS.This issue affects LabelGrid Tools: from n/a through 1.3.58.
CVE-2024-54339 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jbd7 geoFlickr allows Reflected XSS.This issue affects geoFlickr: from n/a through 1.3.
CVE-2024-54340 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sylvia van Os Simple Presenter allows Reflected XSS.This issue affects Simple Presenter: from n/a through 1.5.1.
CVE-2024-54337 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in DevriX DX Dark Site allows Stored XSS.This issue affects DX Dark Site: from n/a through 1.0.1.
CVE-2024-54336 CVSS:8.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7.
Impact
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-54351
- CVE-2024-54347
- CVE-2024-54344
- CVE-2024-54342
- CVE-2024-54343
- CVE-2024-54341
- CVE-2024-54339
- CVE-2024-54340
- CVE-2024-54337
- CVE-2024-54336
Affected Vendors
Affected Products
- Tom Landis Fancy Roller Scroller - n/a
- BAKKBONE Australia FloristPress - n/a
- Fahad Mahmood WP Quick Shop - n/a
- STAGGS Staggs Product Configurator for WooCommerce - n/a
- Howard Ehrenberg Connect Contact Form 7 to Constant Contact - n/a
- LabelGrid LabelGrid Tools - n/a
- jbd7 geoFlickr - n/a
- Sylvia van Os Simple Presenter - n/a
- DevriX DX Dark Site - n/a
- Projectopia - n/a
Remediation
Upgrade to the latest version, available from the WordPress Plugin Directory.