including versions up to 2.8.3. The issue has been corrected in the update 2.8.4, issued on March 6, 2024.
The vulnerability originates from inadequate input cleansing and the failure to properly escape output, enabling anonymous assailants to insert malicious web scripts on pages that activate each time an individual accesses them.
“Taking into account that the weakness can be manipulated by assailants lacking any permissions on the site in question, the odds are significantly raised that the defacement could allow nefarious individuals to obtain administrative privileges on websites utilizing the flawed iteration of the plugin upon successful exploitation,” Wordfence remarked.
Notably, the plugin developers rectified a comparable security gap (CVE-2024-1071, CVSS rating: 9.8) in the update 2.8.3 released on February 19.
Subsequently, an unrelated file upload security loophole was identified in the Avada WordPress theme (CVE-2024-1468, CVSS rating: 8.8) that could potentially lead to the execution of detrimental code from afar. This was addressed in version 7.11.5.
“Consequently, this enables bad actors with authentication, holding a contributor status or higher, to upload files arbitrarily to the server hosting the compromised website, which could potentially pave the way for executing code from a distance,” Wordfence noted.
Salesforce Pipeline Review is transforming the approach sales leaders Read more
Last Monday, Microsoft Corporation is unveiling a collection of fresh Read more