The Cyber Security Agency of Singapore has issued a critical alert concerning vulnerabilities in several WordPress plugins, highlighting the urgency for users to take immediate action. These WordPress plugin vulnerabilities, deemed critical, pose significant risks to website security, potentially allowing unauthorized access and exploitation by malicious actors.
Security updates have been promptly released to address these critical vulnerabilities in multiple WordPress plugins. SingCERT has reported 9 critical WordPress plugin vulnerabilities and has shared the mitigation strategies to avoid exploration by threat actors.
SingCERT Flagged Multiple WordPress Plugin Vulnerabilities
SingCERT flagged these critical WordPress vulnerabilities, including those allowing arbitrary file uploads and SQL injection. These vulnerabilities are as follows:
WordPress Copymatic
AI Content Writer & Generator: Exploitation of this vulnerability (CVE-2024-31351) could enable an unauthenticated attacker to upload arbitrary files to a website, potentially compromising its integrity. The severity of this vulnerability is highlighted by its maximum CVSSv3.1 score of 10 out of 10, affecting plugin versions prior to 1.7.
Pie Register
Social Sites Login (Add on): Identified with CVE-2024-4544, this plugin vulnerability allows for authentication bypass, potentially enabling unauthorized access to user accounts. With a CVSSv3.1 score of 9.8 out of 10, versions of the plugin before 1.7.8 are affected.
Hash Form Drag & Drop Form Builder
The Hash Form Drag & Drop Form Builder vulnerability (CVE-2024-5084) permits unauthenticated attackers to upload arbitrary files, facilitating remote code execution on affected sites. Its severity, rated 9.8 out of 10, affects versions of the plugin before 1.1.1.
Country State City Dropdown CF7 Plugin
The vulnerability (CVE-2024-3495) identified in this plugin allows for SQL injection, potentially compromising sensitive data stored in the website’s database. The vulnerability is rated at 9.8 out of 10 and versions before 2.7.3 are affected.
WPZOOM Addons for Elementor (Templates, Widgets)
This vulnerability (CVE-2024-5147) enables unauthenticated attackers to upload and execute arbitrary files on the server, posing a severe threat to website security. Versions of the plugin before 1.1.38 are vulnerable, with a CVSSv3.1 score of 9.8 out of 10.
Business Directory Plugin
Easy Listing Directories: Vulnerable to SQL injection (CVE-2024-4443), this plugin allows unauthenticated attackers to extract sensitive information from the website’s database. With a CVSSv3.1 score of 9.8 out of 10, versions before 6.4.3 are at risk.
UserPro Plugin
This vulnerability (CVE-2024-35700) enables attackers to escalate privileges, potentially gaining full control of the affected website. Versions of the plugin before 5.1.9 are affected, with a CVSSv3.1 score of 9.8 out of 10.
Fluent Forms Contact Form Plugin
Vulnerable versions of this plugin (CVE-2024-2771) permit privilege escalation, posing significant risks to website security. The versions prior to 5.1.17 are affected, with a CVSSv3.1 score of 9.8 out of 10. It’s worth noting that this vulnerability is actively exploited.
Web Directory Free Plugin
This plugin vulnerability (CVE-2024-3552) allows unauthenticated attackers to interact directly with the website’s database through SQL injection, potentially leading to data theft. Versions before 1.7.0 are affected, with a CVSSv3.1 score of 9.3 out of 10.
Mitigation Strategies for WordPress Vulnerabilities
Users and administrators using the affected versions of these WordPress plugins are strongly advised to update to the latest versions immediately to mitigate these vulnerabilities and safeguard their websites against potential exploitation.
For further details and guidance on mitigation for these WordPress plugin vulnerabilities, users can refer to the respective plugin documentation and updates provided by the developers. Additionally, employing security measures such as virtual patching can provide interim protection while awaiting updates.
Ensuring the security of WordPress websites requires proactive measures, including regular updates and monitoring for vulnerabilities. By staying informed and promptly addressing security concerns, website owners can effectively protect their online assets from potential threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
