The Cyber Security Agency of Singapore has issued a critical alert concerning vulnerabilities in several WordPress plugins, highlighting the urgency for users to take immediate action. These WordPress plugin vulnerabilities, deemed critical, pose significant risks to website security, potentially allowing unauthorized access and exploitation by malicious actors.
Security updates have been promptly released to address these critical vulnerabilities in multiple WordPress plugins. SingCERT has reported 9 critical WordPress plugin vulnerabilities and has shared the mitigation strategies to avoid exploration by threat actors.
SingCERT flagged these critical WordPress vulnerabilities, including those allowing arbitrary file uploads and SQL injection. These vulnerabilities are as follows:
AI Content Writer & Generator: Exploitation of this vulnerability (CVE-2024-31351) could enable an unauthenticated attacker to upload arbitrary files to a website, potentially compromising its integrity. The severity of this vulnerability is highlighted by its maximum CVSSv3.1 score of 10 out of 10, affecting plugin versions prior to 1.7.
Social Sites Login (Add on): Identified with CVE-2024-4544, this plugin vulnerability allows for authentication bypass, potentially enabling unauthorized access to user accounts. With a CVSSv3.1 score of 9.8 out of 10, versions of the plugin before 1.7.8 are affected.
The Hash Form Drag & Drop Form Builder vulnerability (CVE-2024-5084) permits unauthenticated attackers to upload arbitrary files, facilitating remote code execution on affected sites. Its severity, rated 9.8 out of 10, affects versions of the plugin before 1.1.1.
The vulnerability (CVE-2024-3495) identified in this plugin allows for SQL injection, potentially compromising sensitive data stored in the website’s database. The vulnerability is rated at 9.8 out of 10 and versions before 2.7.3 are affected.
This vulnerability (CVE-2024-5147) enables unauthenticated attackers to upload and execute arbitrary files on the server, posing a severe threat to website security. Versions of the plugin before 1.1.38 are vulnerable, with a CVSSv3.1 score of 9.8 out of 10.
Easy Listing Directories: Vulnerable to SQL injection (CVE-2024-4443), this plugin allows unauthenticated attackers to extract sensitive information from the website’s database. With a CVSSv3.1 score of 9.8 out of 10, versions before 6.4.3 are at risk.
This vulnerability (CVE-2024-35700) enables attackers to escalate privileges, potentially gaining full control of the affected website. Versions of the plugin before 5.1.9 are affected, with a CVSSv3.1 score of 9.8 out of 10.
Vulnerable versions of this plugin (CVE-2024-2771) permit privilege escalation, posing significant risks to website security. The versions prior to 5.1.17 are affected, with a CVSSv3.1 score of 9.8 out of 10. It’s worth noting that this vulnerability is actively exploited.
This plugin vulnerability (CVE-2024-3552) allows unauthenticated attackers to interact directly with the website’s database through SQL injection, potentially leading to data theft. Versions before 1.7.0 are affected, with a CVSSv3.1 score of 9.3 out of 10.
Users and administrators using the affected versions of these WordPress plugins are strongly advised to update to the latest versions immediately to mitigate these vulnerabilities and safeguard their websites against potential exploitation.
For further details and guidance on mitigation for these WordPress plugin vulnerabilities, users can refer to the respective plugin documentation and updates provided by the developers. Additionally, employing security measures such as virtual patching can provide interim protection while awaiting updates.
Ensuring the security of WordPress websites requires proactive measures, including regular updates and monitoring for vulnerabilities. By staying informed and promptly addressing security concerns, website owners can effectively protect their online assets from potential threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Weekly roundup on cybersecurity trends: AI-driven attacks, ransomware incidents, supply chain breaches, and key global security updates in 2026.
Fragnesia is a Linux Kernel flaw in XFRM ESP-in-TCP that enables local attackers to gain root access through page-cache corruption.
Researchers found malicious node-ipc tarballs containing a credential stealer that exfiltrated sensitive developer data via DNS TXT queries.
The company explained that it delayed full certificate revocation until June 12 to avoid disrupting legitimate users.
The Exim BDAT vulnerability impacts Exim 4.97–4.99.2 using GnuTLS, exposing mail servers to memory corruption risks.
Registered attendees will also receive a complimentary copy of the Americas Threat Landscape Report – Q1 2026.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More