May 2, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple IBM WebSphere Vulnerabilities
April 18, 2024Increased Brute-Force Attacks Against VPN and SSH Services Globally – Active IOCs
April 18, 2024Multiple IBM WebSphere Vulnerabilities
April 18, 2024Increased Brute-Force Attacks Against VPN and SSH Services Globally – Active IOCs
April 18, 2024
Severity
Medium
Analysis Summary
CVE-2024-31421 CVSS:4.3
Popup by Supsystic Plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by broken access control refer to missing authorization. By sending a specially crafted request, an attacker could exploit this vulnerability to edit posts without permission.
CVE-2024-31432 CVSS:5.3
Restrict Content Plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by broken access control. By sending a specially crafted request, an attacker could exploit this vulnerability to edit posts without permission.
CVE-2023-52144 CVSS:5.5
Product Feed Manager plugin for WordPress could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially crafted request to modify arbitrary files on the system.
CVE-2024-32454 CVSS:4.4
WordPress Wappointment plugin for WordPress is vulnerable to server-side request forgery. A remote authenticated attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.
CVE-2024-31372 CVSS:4.3
No-Bot Registration Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-31371 CVSS:4.3
WP Event Aggregator Plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-3054 CVSS:7.2
WPvivid Backup & Migration Plugin for WordPress could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a PHAR deserialization flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to delete arbitrary files, retrieve sensitive data, or execute code.
Impact
- Security Bypass
- Data Manipulation
- Gain Access
Indicators of Compromise
CVE
- CVE-2024-31421
- CVE-2024-31432
- CVE-2023-52144
- CVE-2024-32454
- CVE-2024-31372
- CVE-2024-31371
- CVE-2024-3054
Affected Vendors
WordPress
Affected Products
- Popup by Supsystic Plugin for WordPress 1.10.27
- Restrict Content Plugin for WordPress 3.2.8
- Product Feed Manager Plugin for WordPress 7.3.15
- Wappointment plugin for WordPress 2.6.0
- No-Bot Registration Plugin for WordPress 1.9.1
- Event Aggregator Plugin for WordPress 1.7.6
- WPvivid Backup & Migration Plugin for WordPress 0.9.99
Remediation
Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.