Several theme-level vulnerabilities coupled with evolving abuse tactics are demonstrating once again how vulnerable WordPress becomes when multiple vulnerabilities are aligned.
An unauthenticated file access and deletion vulnerability has been disclosed in the WPLMS theme-tracked as CVE-2024-10470 and assigned a CVSS score of 9.8-which has exposed thousands of learning management deployments.
A significant risk exists as a result of the issue in more than 28,000 active installations, which enables attackers to read or remove sensitive files such as wp-config.php, thereby lowering the barrier to full site compromise, data exposure, and operational disruption.
Not only does the vulnerability itself pose a serious threat, but its intersection with a broader wave of hostile activity that has already targeted WordPress ecosystems at a significant scale makes this threat particularly acute.
This is in keeping with recent research by Sucuri that shows threat actors are utilizing malicious JavaScript injections to weaponize distributed brute-force campaigns against compromised sites.
Instead of attacking targets directly, injected code quietly conscripts unsuspecting web browsers, creating a distributed attack platform based on normal web traffic.
Earlier campaigns were focused on crypto drainers and Web3 phishing redirects, but the latest iteration, which has been
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: