1.Advisory: Real-Time Find and Replace plugin in WordPress
Risk : High
Description: The BtCIRT would like to inform the general public about the new vulnerability found in Real-Time Find and Replace plugin in WordPress discovered by the Security researchers all over the world. This vulnerability, if exploited, can lead to Cross-Site Request Forgery (CSRF) which further leads to Stored Cross-Site Scripting (Stored XSS) attacks. It can allow an attacker to perform malicious activities such as creating rogue administrative user accounts, stealing session cookies, or redirecting users to a malicious site. The flaw impacts all versions up to 3.9.
Recommendation : WordPress site administrators and owners using the affected product are advised to secure their websites by updating to the latest version (4.0.2) immediately.
References:
2. Advisory- WordPress media-library-assistant plugin up to 2.81V
Risk : High
Description: This vulnerability resides in the media-library-assistant plugin of WordPress versions up to 2.81 due to the improper security controls. A remote attacker could exploit this vulnerability manipulating the argumentstax_query, meta_query, or data_query as a parameter in mla_galleryfunction of the affected system.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary codes with elevated privileges on the targeted system.
Recommendation : Update the latest version of the WordPress 2.82 or later for media-library-assistant.
References:
https://www.cert.gov.lk/alert_info.php?id=173