Advisory No: TZCERT/SA/2024/07/19-1

Date of First Release: 19^th July 2024

Source: Wordfence

Software Affected: Keydatas, woocommerce-products-filter

Overview:

WordPress is vulnerable to two (2) critical vulnerabilities. Exploitation of these vulnerabilities makes remote code execution possible.

Description:

Two (2) WordPress plugins namely Keydatas, woocommerce-products-filter are affected by the vulnerabilities tracked as CVE-2024-6220 and CVE-2024-6457 respectively. Reasons for the flaws include missing file type validation in the keydatas_downloadImages function, and insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. The attackers can exploit the vulnerabilities to execute arbitrary codes on the server and extract sensitive information from the database.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/keydatas/keydatas-252-unauthenticated-arbitrary-file-upload
2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter/husky-products-filter-professional-for-woocommerce-136-unauthenticated-time-based-sql-injection

Wordfence has released security updates to address vulnerabilities in fv-wordpress-flowplayer, duplica, elementskit-lite, yith-essential-kit and give. Exploitation of these vulnerabilities may allow an attacker to gain escalated privilege.

Users and administrators are encouraged to review Wordfence Security Advisories fv-wordpress-flowplayer, duplica, elementskit-lite, yith-essential-kit-for-woocommerce-1 and givewp and apply necessary updates.

Lenovo has released security updates to address vulnerabilities in multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Lenovo Security Advisories dated 18^th July 2024 and apply necessary updates.

Autodesk has released security updates to address vulnerabilities in Autodesk InfraWorks. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Autodesk Security Advisory and apply necessary updates.

Slackware has released security updates to address vulnerabilities in OpenSSL and Httpd. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Slackware Security Advisories slackware-462281 and slackware-371398 and apply necessary updates.