WordPress Plugin Security Update Advisory

Overview

 

An update has been released to address vulnerabilities in WordPress Umbrella: Update Backup Restore & Monitoring, WPForms Plugin. Users of the affected versions are advised to update to the latest version.
 

 

Affected Products

 

CVE-2024-12209

• WP Umbrella: Update Backup Restore & Monitoring versions: ~ 2.17.0 (inclusive)

 

CVE-2024-11205

• WPForms versions: 1.8.4 (inclusive) ~ 1.9.2.1 (inclusive)

 

 

Resolved Vulnerabilities

 

Vulnerability to local file inclusion via the ‘filename’ parameter of the ‘umbrella-restore’ action, which could allow attackers to include and execute arbitrary files on the server (CVE-2024-12209)

Functionality check missing for the ‘wpforms_is_admin_page’ function, which could allow unauthorized data modification (CVE-2024-11205)

 

Vulnerability Patches

Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-12209

• WP Umbrella: Update Backup Restore & Monitoring version: 2.17.1

 

CVE-2024-11205

• WPForms version: 1.9.2.2

 

 

Referenced Sites

 

[1] CVE-2024-12209 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-12209

[2] WP Umbrella: Update Backup Restore & Monitoring <= 2.17.0 – Unauthenticated Local File Inclusion

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-health/wp-umbrella-update-backup-restore-monitoring-2170-unauthenticated-local-file-inclusion

[3] CVE-2024-11205 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-11205

[4] WPForms 1.8.4 – 1.9.2.1 – Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforms-lite/wpforms-184-1921-missing-authorization-to-authenticated-subscriber-payment-refund-and-subscription-cancellation