Our partner, Foregenix, is one of the leading forensic investigation teams in the industry and are regularly identifying new threats, vulnerabilities and malware in the eCommerce landscape.
Here's the Foregenix Cyber Intelligence latest summary report:
An update to Adobe Commerce Services Connector was released on 2024-11-12, addressing a high severity vulnerability in software related to the Magento platform.
According to the Wordfence Intelligence Weekly Vulnerability Report, two hundred and twenty two (222) vulnerabilities were disclosed in various WordPress plugins and themes, fifteen (15) of which were critical. Details have been documented for the plugins with high active installations, omitting the following plugins with a low number of active installations:
Bootscraper <=3.0.0 - Unauthenticated Local File Inclusion
Contact Page With Google Map <= 1.6.1 - Unauthenticated Arbitrary File Deletion
Fediverse Embeds <= 1.5.3 - Unauthenticated Arbitrary File Upload
Geolocator <= 1.1 - Unauthenticated PHP Object Injection
Pathomation <= 2.5.1 - Unauthenticated Arbitrary File Upload
Quick Learn <= 1.0.1 - Unauthenticated PHP Object Injection
Opal Woo Custom Product Variation <= 1.1.3 - Unauthenticated Arbitrary File Deletion
Social Login <= 5.9.0 - Authentication Bypass
UserPlus <= 2.0 - Privilege Escalation
Xpresslane Fast Checkout <= 1.0.0 - Unauthenticated PHP Object Injection
Adobe Commerce / Magento Open Source
Security Update for Adobe Commerce (APSB24-90)
On the 12th of November 2024, Adobe published a new security update (APSB24-90) for Adobe Commerce Services Connector, a Software as a Service (SaaS) component of Adobe Commerce/Magento Open Source.
The security update, 3.2.6, addresses a vulnerability in previous versions of the software classified as critical by Adobe and High severity by the National Institute of Standards and Technology (NIST).
As of publication of this report, Foregenix Cyber Intelligence has not identified any existing published proof of concepts or reports of exploitation in the wild.
This vulnerability would only affect merchants using the Adobe Commerce Services Connector, and therefore not all Magento platforms would be affected.
Affected Software | Adobe Commerce Services Connector |
Software Type | SaaS features for Adobe Commerce Platform |
Active Installations | Unknown |
Vulnerability Type | Server-Side Request Forgery |
Severity | 7.7 (High) |
CVE ID | CVE-2024-49521 |
Date Published | 2024-11-12 |
Versions Affected | 3.2.5 and earlier |
Remediation | Update to version 3.2.6 |
Exploit Status | Unknown |
Researcher | Akash Hamal |
Reference(s) |
WordPress Plugins/Themes
Unauthenticated Password Reset in AppPresser - Mobile App Framework
AppPresser is a mobile application builder, and their Mobile App Framework plugin enables website builders to connect their app to a WordPress site. The plugin has a vulnerability in the password reset process which enables unauthenticated attackers to reset a user’s password and gain access to their account.
Affected Software | AppPresser – Mobile App Framework |
Software Type | WordPress Plugin |
Active Installations | 1000+ |
Vulnerability Type | Unauthenticated Privilege Escalation via Password Reset |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-11024 |
Date Published | 2024-11-25 |
Versions Affected | <= 4.4.6 |
Remediation | Update to version 4.4.7 |
Exploit Status | Unknown |
Researcher | shaman0x01 - Shaman Red Team |
Reference |
Unauthenticated Arbitrary File Read Vulnerability in Jobify Theme
The Jobify theme is one of the easier ways for a wordpress site to set up job listings and provide the user an easy to use interface to upload and submit their applications to. In versions 4.2.3 and below the theme is vulnerable to an arbitrary file read, where any user is able to view the contents of any file being used on the target’s Wordpress site.
If the allow_url_fopen configuration is enabled in PHP, the input submitted is turned into a function, which can allow the attacker full read access and SSRF (Server-side request forgery).
Affected Software | Jobify |
Software Type | Wordpress Theme/plugin |
Active Installations | 14000 |
Vulnerability Type | Unauthenticated Arbitrary File Read |
Severity | 7.5 (High) |
CVE ID | CVE-2024-52481 |
Date Published | 2024-11-21 |
Versions Affected | 4.2.3 (latest version) and below |
Remediation | At the time of writing this vulnerability is still Unpatched |
Exploit Status | Unknown |
Researcher | Patchstack - Ananda Dhakal |
Reference |
Critical Account Takeover in Really Simple Security Plugin
The Really Simple Security Plugin is a plugin that provides the site users with two-factor authentication (2FA) and login protection. The plugin also provides the website with SSL certificate generation, enforcement of redirects to HTTPS and login protection.
The identified vulnerability, involving improper error handling in the 2FA solution, allows for unauthenticated attackers to log in as an existing user with just the user ID, including administrator accounts, when 2FA is enabled.
Affected Software | Really Simple Security Plugin |
Software Type | WordPress Plugin |
Active Installations | 4,000,000 |
Vulnerability Type | Unauthenticated Account Takeover |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-10924 |
Date Published | 2024-11-14 |
Versions Affected | 9.1.1 and earlier |
Remediation | Update to version 9.1.2 |
Exploit Status | Proof of Concept published |
Researcher | István Márton (Wordfence) |
Reference |
PHP Object Injection in FluentSMTP
FluentSMTP enables site builders to connect their site to their email service provider. This vulnerability enables unauthenticated attackers to inject a PHP object. Combined with a POP chain from another plugin, this could be leveraged by the attacker to delete arbitrary files, retrieve sensitive data or execute code.
Affected Software | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider |
Software Type | WordPress Plugin |
Active Installations | 300,000+ |
Vulnerability Type | Unauthenticated PHP Object Injection |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-9511 |
Date Published | 2024-11-22 |
Versions Affected | <= 2.2.82 |
Remediation | Update to version 2.2.83 |
Exploit Status | Unknown |
Researcher | Leo Trinh |
Reference |
Unauthenticated PHP Object Injection in Team Rosters Plugin
The MSTW Team Rosters plugin manages rosters for multiple sports teams and can be repurposed for office use. It provides roster tables with built-in formats. The current vulnerability makes it possible for unauthenticated attackers to inject a PHP Object onto the site.
At the time of writing it is unknown if a POP chain is present in the vulnerable software. However If a POP chain is present via an additional plugin or theme on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code without permission.
Affected Software | Team Rosters |
Software Type | Wordpress plugin |
Active Installations | 300+ |
Vulnerability Type | Unauthenticated PHP Object Injection |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-52439 |
Date Published | 2024-11-18 |
Versions Affected | <= 4.6 |
Remediation | Unpatched |
Exploit Status | Unknown |
Researcher | Mika |
Reference |
Unauthenticated Privilege Escalation in WAWP
Wawp — The All-in-One WhatsApp Plugin for WooCommerce, the plugin allows sending Order Status Notifications and OTP Verification codes via WhatsApp.
The plugin is vulnerable to privilege escalation via account takeover in all versions up to 3.0.18 (exclusive). This makes it possible for unauthenticated attackers to gain access to administrator accounts.
Affected Software | Wawp OTP Verification, Order Notifications, and Country Code Selector for WooCommerce |
Software Type | Wordpress plugin |
Active Installations | 500+ |
Vulnerability Type | Privilege Escalation |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-52475 |
Date Published | 2024-11-19 |
Versions Affected | < 3.0.18 |
Remediation | Update to 3.0.18 |
Exploit Status | Unknown |
Researcher | stealthcopter |
Reference |
Arbitrary File Upload in School Management System for WordPress
The School Management System Plugin for WordPress can be used to manage complete school operation. This vulnerability enables an unauthenticated attacker to arbitrarily upload files, which may lead to remote code execution.
Affected Software | School Management System for Wordpress |
Software Type | Wordpress Plugin |
Active Installations | Unknown |
Vulnerability Type | Unauthenticated Arbitrary File Upload |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-9659 |
Date Published | 2024-11-22 |
Versions Affected | <= 91.5.0 |
Remediation | Update to version 92.0.0 |
Exploit Status | Unknown |
Researcher | Tonn |
Reference |
Arbitrary File Upload in WPGYM
The Wordpress Gym Management System Plugin can be used to manage gyms. This vulnerability enables an unauthenticated attacker to arbitrarily upload files, which may lead to remote code execution.
Affected Software | WPGYM - Wordpress Gym Management System |
Software Type | Wordpress Plugin |
Active Installations | Unknown |
Vulnerability Type | Unauthenticated Arbitrary File Upload |
Severity | 9.8 (Critical) |
CVE ID | CVE-2024-9942 |
Date Published | 2024-11-22 |
Versions Affected | <= 67.1.0 |
Remediation | Update to version 67.2.0 |
Exploit Status | Unknown |
Researcher | Tonn |
Reference |
All credit for the summary report goes to the Foregenix Cyber Intelligence unit.
コメント