A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Critical Vulnerabilities affecting WordPress (CVE-2024-5522, CVE-2024-5150, CVE-2024-3412)

Critical Vulnerabilities affecting WordPress (CVE-2024-5522, CVE-2024-5150, CVE-2024-3412)

Advisory No: TZCERT/SA/2024/05/31-1

Date of First Release: 31st May 2024

Source: Wordfence

Software Affected:  html5-video-player,  login-with-phone-number,  wp-staging

Overview:

WordPress is vulnerable to three critical vulnerabilities. The attackers can leverage the vulnerabilities to take control of the affected system.

Description:

Three WordPress plugins namely html5-video-player,  login-with-phone-number,  wp-staging are affected by the vulnerabilities tracked as CVE-2024-5522, CVE-2024-5150 and CVE-2024-3412 respectively. Reasons for the flaws include insufficient escaping and validation of user-supplied data. The attackers can exploit the vulnerabilities to gain access to the vulnerable system and access to sensitive information.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the vulnerable system

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/html5-video-player/html5-video-player-2526-unauthenticated-sql-injection
  2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/login-with-phone-number/login-with-phone-number-1726-authentication-bypass-due-to-missing-empty-value-check
  3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-staging/wp-staging-wordpress-backup-plugin-migration-backup-restore-343-authenticated-admin-arbitrary-file-upload

Check Also

High severity vulnerabilities in HPE ProLiant and HPE Edgeline Servers Using BIOS (PixieFail) (CVE-2023-45229, CVE-2023-45230, CVE-2023-45234, CVE-2023-45235, CVE-2021-38575)

Advisory No: TZCERT/SA/2024/05/31-2 Date of First Release: 31st May 2024 Source: Hewlett-Packard (HP) Software Affected: …