Analysis Summary

CVE-2024-32778 CVSS:7.1

Contest Gallery Plugin WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by insecure design vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to delete arbitrary file.

CVE-2024-4898 CVSS:9.8

InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing authorization to unauthenticated API. By sending a specially crafted request, an attacker could exploit this vulnerability to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.

CVE-2024-3922 CVSS:10

weDevs Dokan Pro plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements using the code parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2024-32781 CVSS:7.5

Email Customizer for WooCommerce Plugin for WordPress could allow a remote attacker to obtain sensitive information. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.

Impact

• Security Bypass
• Data Manipulation
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-32778
• CVE-2024-4898
• CVE-2024-3922
• CVE-2024-32781

Affected Vendors

Remediation

Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.

CVE-2024-32778

CVE-2024-4898

CVE-2024-3922

CVE-2024-32781