The Pakistan Telecommunication Authority (PTA) has issued Cyber Security Advisory No. 360, warning about critical security vulnerabilities in multiple WordPress plugins. The advisory highlights four major vulnerabilities that pose significant risks to websites using affected plugins, urging administrators to apply necessary security patches immediately.
According to the advisory, the affected plugins include WordPress Advance Menu Manager (version 3.1.1 and earlier), WooCommerce PDF Vouchers (versions earlier than 4.9.9), and WPLMS (versions earlier than 1.9.9.5.2). The vulnerabilities allow unauthorized access, privilege escalation, and the execution of malicious code, making websites susceptible to cyberattacks.
The advisory identifies CVE-2024-54381 as a Missing Authorization vulnerability in the Dotstore Advance Menu Manager plugin, enabling unauthorized users to access restricted functionalities. Another flaw, CVE-2024-54383, is an Incorrect Privilege Assignment vulnerability in the WooCommerce PDF Vouchers plugin, allowing lower-level users to gain elevated permissions.
According to the PTA, serious security threats have also been detected in the WPLMS plugin, including CVE-2024-56055, a Path Traversal vulnerability that allows attackers to access restricted files, and CVE-2024-56051, an Improper Control of Code Generation vulnerability, which could enable attackers to inject and execute unauthorized code. The authority has classified the severity of these threats as high, with a primary attack vector being code execution.
The PTA has advised website administrators to immediately update the affected plugins using the recommended patches available here. It has also emphasized the importance of keeping all systems and software up to date with the latest security patches to prevent potential cyber threats.
