Severity
High
Analysis Summary
CVE-2024-32778 CVSS:7.1
Contest Gallery Plugin WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by insecure design vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to delete arbitrary file.
CVE-2024-4898 CVSS:9.8
InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing authorization to unauthenticated API. By sending a specially crafted request, an attacker could exploit this vulnerability to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
CVE-2024-3922 CVSS:10
weDevs Dokan Pro plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements using the code parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2024-32781 CVSS:7.5
Email Customizer for WooCommerce Plugin for WordPress could allow a remote attacker to obtain sensitive information. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
Impact
- Security Bypass
- Data Manipulation
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-32778
- CVE-2024-4898
- CVE-2024-3922
- CVE-2024-32781
Affected Vendors
Affected Products
- Contest Gallery Plugin for WordPress 21.3.4
- weDevs Dokan Pro plugin for WordPress 3.10.3
- Email Customizer for WooCommerce Plugin for WordPress 2.6.0
- InstaWP Connect Staging Migration plugin for WordPress 0.1.0.38
Remediation
Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.