Security Advisory

WordPress plugin security update advisory (CVE-2024-28000, CVE-2024-6695, CVE-2024-6500)

  • Aug 23 2024

Overview
 

An update has been released to address vulnerabilities in WordPress plugin (LiteSpeed Cache, profile-builder, InPost for WooCommerce, InPost PL). Users of the affected versions are advised to update to the latest version.

 

Affected Products

CVE-2024-28000

  • LiteSpeed Cache versions: 1.9 (inclusive) ~ 6.3.0.1 (inclusive)

 

CVE-2024-6695

  • profile-builder versions: ~ 3.11.9 (excluded)

 

CVE-2024-6500

  • InPost for WooCommerce versions: ~ 1.4.0 (inclusive)
  • InPost PL versions: ~ 1.4.4 (inclusive)

 

Resolved Vulnerabilities

 

Incorrect permission assignment in LiteSpeed Technologies LiteSpeed Cache allows litespeed-cache to allow privilege escalation (CVE-2024-28000)

vulnerability that could allow an attacker to gain administrator privileges and perform unauthorized actions without having any kind of account on the target site (CVE-2024-6695)

Missing functional checks for the ‘parse_request’ function, which is vulnerable to unauthorized access and data deletion, allowing attackers to read and delete arbitrary files on Windows servers (CVE-2024-6500)

 

Vulnerability Patches

The following product-specific Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-28000

  • LiteSpeed Cache version: 6.4

 

CVE-2024-6695

  • profile-builder version: 3.11.9

 

CVE-2024-6500

  • InPost for WooCommerce version: There are no known patch versions for this product yet.
  • InPost PL version: 1.4.5 or later

 

 

References

[1] CVE-2024-28000 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-28000

[2] WordPress LiteSpeed Cache Plugin <= 6.3.0.1 is vulnerable to Privilege Escalation

https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve

[3] CVE-2024-6695 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-6695

[4] User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.11.8 – Authentication Bypass

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/profile-builder/user-profile-builder-beautiful-user-registration-forms-user-profiles-user-role-editor-3118-authentication-bypass

[5] CVE-2024-6500 Detail

https://nvd.nist.gov/vuln/detail/cve-2024-6500

[6] InPost for WooCommerce <= 1.4.0 and InPost PL <= 1.4.4 – Missing Authorization to Unauthenticated Arbitrary File Read and Delete

H ttps:// http://www.wordfence.com/threat-intel/vulnerabilities/detail/inpost-for-woocommerce-140-and-inpost-pl-144-missing-authorization-to-unauthenticated-arbitrary-file-read-and-delete

Tags:

Previous Post

Next Post