Skip to content

WordPress Plugin Critical Vulnerabilities - 20240819001

Overview

The WA SOC has been made aware of critical unauthorized access and deletion of data vulnerability affecting WordPress InPost Plugins.

Wordfence Intelligence have posted an advisory relating to a vulnerability caused by plugins InPost for WooCommerce and InPost PL for WordPress allowing unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function. This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.

What is vulnerable?

Product(s) Affected CVE CVSS Severity
- Plugin “InPost PL” versions < 1.4.5
- Plugin “InPost for WooCommerce” versions \<= 1.4.0 (unpatched at time of writing)
CVE-2024-6500 10 Critical

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):

Additional References