Request a Demo
Rewterz
Threat Actors in Supply Chain Attack Stole 390,000 WordPress Accounts – Active IOCs
December 16, 2024
Rewterz
Bitter APT Targeting Pakistan – Active IOCs
December 16, 2024

Multiple WordPress Plugins Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-54351 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Tom Landis Fancy Roller Scroller allows Stored XSS.This issue affects Fancy Roller Scroller: from n/a through 1.4.0.

CVE-2024-54347 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BAKKBONE Australia FloristPress allows Reflected XSS.This issue affects FloristPress: from n/a through 7.2.0.

CVE-2024-54344 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood WP Quick Shop allows Reflected XSS.This issue affects WP Quick Shop: from n/a through 1.3.1.

CVE-2024-54342 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in STAGGS Staggs Product Configurator for WooCommerce allows Reflected XSS.This issue affects Staggs Product Configurator for WooCommerce: from n/a through 2.0.0.

CVE-2024-54343 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Connect Contact Form 7 to Constant Contact allows Reflected XSS.This issue affects Connect Contact Form 7 to Constant Contact: from n/a through 1.4.

CVE-2024-54341 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LabelGrid LabelGrid Tools allows Reflected XSS.This issue affects LabelGrid Tools: from n/a through 1.3.58.

CVE-2024-54339 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jbd7 geoFlickr allows Reflected XSS.This issue affects geoFlickr: from n/a through 1.3.

CVE-2024-54340 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sylvia van Os Simple Presenter allows Reflected XSS.This issue affects Simple Presenter: from n/a through 1.5.1.

CVE-2024-54337 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in DevriX DX Dark Site allows Stored XSS.This issue affects DX Dark Site: from n/a through 1.0.1.

CVE-2024-54336 CVSS:8.8

Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7.

Impact

  • Cross-Site Scripting

Indicators of Compromise

CVE

  • CVE-2024-54351
  • CVE-2024-54347
  • CVE-2024-54344
  • CVE-2024-54342
  • CVE-2024-54343
  • CVE-2024-54341
  • CVE-2024-54339
  • CVE-2024-54340
  • CVE-2024-54337
  • CVE-2024-54336

Affected Vendors

WordPress

Affected Products

  • Tom Landis Fancy Roller Scroller - n/a
  • BAKKBONE Australia FloristPress - n/a
  • Fahad Mahmood WP Quick Shop - n/a
  • STAGGS Staggs Product Configurator for WooCommerce - n/a
  • Howard Ehrenberg Connect Contact Form 7 to Constant Contact - n/a
  • LabelGrid LabelGrid Tools - n/a
  • jbd7 geoFlickr - n/a
  • Sylvia van Os Simple Presenter - n/a
  • DevriX DX Dark Site - n/a
  • Projectopia - n/a

Remediation

Upgrade to the latest version, available from the WordPress Plugin Directory.

CVE-2024-54351

CVE-2024-54347

CVE-2024-54344

CVE-2024-54342

CVE-2024-54343

CVE-2024-54341

CVE-2024-54339

CVE-2024-54340

CVE-2024-54337

CVE-2024-54336