Rewterz Threat Update – Microsoft Teams Used for Stealing Accounts by Ransomware Access Broker
September 18, 2023Rewterz Threat Alert – Lumma Stealer Malware aka LummaC – Active IOCs
September 18, 2023Rewterz Threat Update – Microsoft Teams Used for Stealing Accounts by Ransomware Access Broker
September 18, 2023Rewterz Threat Alert – Lumma Stealer Malware aka LummaC – Active IOCs
September 18, 2023Severity
Medium
Analysis Summary
CVE-2023-4948 CVSS:4.3
WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability check on the refresh_order_cvr_data AJAX function. By sending a specially crafted request, an attacker could exploit this vulnerability to update CVR numbers for orders.
CVE-2023-4945 CVSS:6.4
Booster for WooCommerce plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-4944 CVSS:6.4
Awesome Weather Widget Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the awesome-weather shortcode to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-4841 CVSS:6.4
Feeds for YouTube Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5001 CVSS:6.4
Horizontal scrolling announcement for WordPress plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-4994 CVSS:9.9
Allow PHP in Posts and Pages plugin for WordPress could allow a remote authenticated attacker to execute arbitrary code on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Security Bypass
- Cross-Site Scripting
- Code Execution
Indicators Of Compromise
CVE
- CVE-2023-4948
- CVE-2023-4945
- CVE-2023-4944
- CVE-2023-4841
- CVE-2023-5001
- CVE-2023-4994
Affected Vendors
WordPress
Affected Products
- WooCommerce CVR Payment Gateway Plugin for WordPress 6.1.0
- Booster for WooCommerce Plugin for WordPress 3.0.2
- Awesome Weather Widget plugin for WordPress 3.0.2
- Feeds for YouTube Plugin for WordPress 2.1
- Horizontal scrolling announcement for WordPress plugin for WordPress 9.2
- Allow PHP in Posts and Pages plugin for WordPress 3.0.4
Remediation
Upgrade to the latest version of WooCommerce CVR Payment Gateway Plugin for WordPress, available from the WordPress Plugin Directory.