This Metasploit module exploits an unauthenticated directory traversal vulnerability in WordPress plugin Duplicator version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.
70e1c80a4666b4d2d1a2cbdb85a7139a6ae55e39380b9790128d79bb96845537WordPress Ultimate Member plugin versions 2.6.6 and below suffer from a privilege escalation vulnerability.
f5d75217bac851597070df579c5cffbcbc42ab75dddb1476c2fdcaa31a651b75WordPress Getwid Gutenberg Blocks plugin versions 1.8.3 and below suffer from improper authorization and server-side request forgery vulnerabilities.
fd16cf318565874e0428d155696ca9aae54a064dc9e42d177e02a45bfaa919f2WordPress Core versions 6.2 and below suffer from cross site request forgery, persistent cross site scripting, shortcode execution, insufficient sanitization, and directory traversal vulnerabilities.
3d8efef1ea0dad889c40870748373ac31bd5e9a184eceac6a8668dafb5fdcb38WordPress Shield Security Smart Bot Blocking and Intrusion Prevention plugin versions 17.0.17 and below suffer from cross site scripting and missing authorization vulnerabilities.
358b29ae547e818a56ed1efd1c28b8c8cf64813a62a0dcf419a7cb3364a65748WordPress Weaver Xtreme theme versions 5.0.7 and below and Weaver Show Posts plugin versions 1.6 and below suffer from a persistent cross site scripting vulnerability.
b0172ec77c6215204d9915dd71ebcb20dcc8714211ffcb31f41fff852f6ba6fdThe Wordfence Threat Intelligence team has released their 2022 State of WordPress Security report. In the report, they look at changes in the threat landscape, analyze impactful trends, and provide recommendations based on their findings.
833a6664e11b54321c4268553ac08e81c3b99e65165b4e44d62207f09cc2fb5cWordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities.
5d3c94aa12c0662cecfc95164895acace4553b37a6d627727e5abb15210b1abaWordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.
0537a61d8c7e168ee93f25ae88cc62b13741cb186c02291ebc2f946f834cd81fThe Wordfence Threat Intelligence team uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete ar bitrary files on sites where a separate POP chain was present. This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.
e25d000d7a2df2172a646831088ba3e0f1083e02893c12d290f821c392cde8a3Jupiter Theme versions 6.10.1 and below as well as JupiterX Core plugin versions 2.0.7 and below suffer from privilege escalation and post deletion vulnerabilities. JupiterX Theme versions 2.0.6 and below as well as JupiterX Core versions 2.0.6 and below suffer from plugin deactivation and setting modification flaws. JupiterX Theme versions 2.0.6 and below as well as Jupiter Theme versions 6.10.1 and below suffer from path traversal and local file inclusion vulnerabilities. Jupiter Theme versions 6.10.1 and below suffer from an arbitrary plugin deletion vulnerability. JupiterX Core plugin versions 2.0.6 and below suffer from information disclosure, modification, and denial of service vulnerabilities.
99977b76ad75b06f3f800ae91ea38ee20b0d9091a394d12146ce6e1c875bc515WordPress Booking Calendar plugin versions 9.1 and below suffer from PHP object injection and insecure deserialization vulnerabilities.
ca383548169d539c9e3c7a8fb2058f0828391d09365e432f7376f20ec13cc507WordPress Elementor versions 3.6.0 through 3.6.2 suffer from a remote code execution vulnerability.
6eaed5370d47ef1831e0129aff2a7f1d6e7a9d7ab393c20f0bed1962b0cecff2WordPress CleanTalk plugin versions 5.173 and below suffer from multiple cross site scripting vulnerabilities.
4136278cd0e53a4bc876e08a79e68f309bd0ea7712eb64d14cfca18b9f7d6147WordPress 99robots Header Footer Code Manager plugin versions 1.1.16 and below suffer from a cross site scripting vulnerability.
989d395c3d66b15fe519bc0c80e99d2eaaa476e1800da8e837d7674b16acc7fdPHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities.
6a2dcc3898ac3a1b90915521a41f2d6e5e9592121ab91ccecbf993baae2e11e2WordPress NextScripts: Social Networks Auto-Poster plugin versions 4.3.20 and below suffer from a cross site scripting vulnerability.
3b243357482f55615e13c6f86d3c5f7e5661b3bdb1e7d084a3489717be01cedaThis Metasploit module exploits an unauthenticated directory traversal vulnerability in WordPress Duplicator plugin versions 1.3.24 through 1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.
4ea50cf867ab79c361dd72e12949f0f0d61e20bd60dd59c1e49252679fd3c7a8
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed