In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 04-05, 2025.
During this period, The National Vulnerability Database published 39, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 4
Medium: 25
Low: 1
Severity Not Assigned: 8
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-10932
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.
References: https://plugins.trac.wordpress.org/browser//backup-backup/tags/1.4.6/includes/database/search-replace.php#L46
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.4.6.1/includes/database/search-replace.php#L46
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a0c514-5200-47f4-9d2e-684d68946b9a?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-12583
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
References: https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53
https://plugins.trac.wordpress.org/changeset/3210927/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8?source=cve
CWE-ID: CWE-1336
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-10957
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.
References: https://plugins.trac.wordpress.org/browser/updraftplus/trunk/includes/class-search-replace.php#L411
https://plugins.trac.wordpress.org/changeset/3212299/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4729ed37-96b2-4717-8a72-89b9a21ec058?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-41766
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.
References: https://www.ibm.com/support/pages/node/7180203
CWE-ID: CWE-1333
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-41767
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
References: https://www.ibm.com/support/pages/node/7180199
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 04-05, 2025.
During this period, The National Vulnerability Database published 39, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 4
Medium: 25
Low: 1
Severity Not Assigned: 8
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-10932
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.
References: https://plugins.trac.wordpress.org/browser//backup-backup/tags/1.4.6/includes/database/search-replace.php#L46
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.4.6.1/includes/database/search-replace.php#L46
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a0c514-5200-47f4-9d2e-684d68946b9a?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-12583
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
References: https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53
https://plugins.trac.wordpress.org/changeset/3210927/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8?source=cve
CWE-ID: CWE-1336
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-10957
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.
References: https://plugins.trac.wordpress.org/browser/updraftplus/trunk/includes/class-search-replace.php#L411
https://plugins.trac.wordpress.org/changeset/3212299/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4729ed37-96b2-4717-8a72-89b9a21ec058?source=cve
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-41766
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.
References: https://www.ibm.com/support/pages/node/7180203
CWE-ID: CWE-1333
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-41767
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
References: https://www.ibm.com/support/pages/node/7180199
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found