A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Critical vulnerabilities in WordPress Plugins Hotel Booking Lite and LearnPress (CVE-2024-4413, CVE-2024-4434)

Critical vulnerabilities in WordPress Plugins Hotel Booking Lite and LearnPress (CVE-2024-4413, CVE-2024-4434)

Advisory No: TZCERT/SA/2024/05/10-2

Date of First Release: 10th May 2024

Source: Wordfence

Software Affected: Hotel Booking Lite, LearnPress

Overview:

WordPress CMS is vulnerable to two (2) critical vulnerabilities. The attackers can leverage the vulnerabilities to execute code and gain access to sensitive information.

Description:

Two plugins namely Hotel Booking Lite, LearnPress are affected by critical vulnerabilities both rated at 9.8 and tracked as CVE-2024-4413 and CVE-2024-4434. The flaws exist as a result of PHP Object Injection in Hotel Booking Lite plugin, and due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query for LearnPress . The attackers can exploit the vulnerability to execute codes and gain access to sensitive information respectively.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system and gain access to sensitive information.

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/motopress-hotel-booking-lite/hotel-booking-lite-4111-unauthenticated-php-object-injection
  2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-4265-unauthenticated-time-based-sql-injection

Check Also

Remote Code Execution Vulnerabilities in IBM Operational Decision Manager, and IBM i Modernization Engine for Lifecycle Integration (CVE-2019-19919, CVE-2019-12384)

Advisory No: TZCERT/SA/2024/05/17-6 Date of First Release: 17th May 2024 Source: IBM Software Affected: IBM …