Critical Tinyproxy Vulnerability Allows Remote Code Execution on Almost 50,000 Hosts
May 7, 2024WSHRAT aka Houdini – Active IOCs
May 7, 2024Critical Tinyproxy Vulnerability Allows Remote Code Execution on Almost 50,000 Hosts
May 7, 2024WSHRAT aka Houdini – Active IOCs
May 7, 2024Severity
High
Analysis Summary
CVE-2024-4033 CVSS:8.8
Plugins360 All-in-One Video Gallery plugin for WordPress could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions by the aiovg_create_attachment_from_external_image_url function. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system.
CVE-2024-4185 CVSS:8.1
Customer Email Verification for WooCommerce plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by the use of insufficiently random activation code. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the email verification.
Impact
- Gain Access
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-4033
- CVE-2024-4185
Affected Vendors
Affected Products
- Plugins360 All-in-One Video Gallery plugin for WordPress 3.6.4
- Customer Email Verification for WooCommerce plugin for WordPress 2.7.4
Remediation
Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugins Directory.