The Pakistan Telecommunication Authority (PTA) has issued a serious cybersecurity advisory, cautioning website administrators about multiple critical security vulnerabilities identified in widely-used WordPress plugins. Released as Cyber Security Advisory No. 360, the alert highlights four major vulnerabilities that expose websites to potential unauthorized access, privilege escalation, and remote code execution, urging administrators to take immediate preventive measures.
PTA’s advisory specifically identifies security flaws in three commonly used plugins: Advance Menu Manager (version 3.1.1 and earlier), WooCommerce PDF Vouchers (versions earlier than 4.9.9), and WPLMS (versions earlier than 1.9.9.5.2). These plugins are widely deployed by businesses and website owners across Pakistan and globally, making this advisory particularly critical for the WordPress community.
The vulnerabilities flagged in the advisory include serious issues that could allow malicious actors to compromise affected websites. Among the key flaws identified is CVE-2024-54381, a Missing Authorization vulnerability in the Dotstore Advance Menu Manager plugin. This vulnerability enables unauthorized users to access restricted functionalities within the WordPress platform, putting sensitive data and website integrity at risk.
Additionally, the advisory warns of CVE-2024-54383, an Incorrect Privilege Assignment vulnerability discovered in the WooCommerce PDF Vouchers plugin. This flaw allows users with lower privileges to gain unauthorized elevated access, potentially leading to unauthorized changes in website content, user data leaks, and other serious security breaches.
The WPLMS plugin, a popular learning management system plugin used by educational platforms, has also been flagged with two critical vulnerabilities. These include CVE-2024-56055, a Path Traversal vulnerability that allows attackers to access restricted files on the website’s server. Furthermore, CVE-2024-56051, identified as an Improper Control of Code Generation vulnerability, could allow attackers to inject and execute arbitrary code, resulting in full-scale website compromise.
PTA has classified the severity of these vulnerabilities as high, stating that they pose significant risks to the security and privacy of websites and their users. The advisory further noted that the primary attack vector associated with these vulnerabilities is code execution, making it crucial for website administrators to take immediate corrective actions.
In its advisory, PTA has urged all WordPress website administrators and hosting service providers to promptly apply the latest security patches released by the respective plugin developers. The authority has provided links to the official patches and updates, encouraging stakeholders to implement them without delay to minimize the risk of exploitation.
The PTA has also emphasized the importance of adopting robust cybersecurity practices. It has advised administrators to keep all WordPress core files, themes, and plugins up to date, regularly monitor websites for suspicious activity, and implement strong access controls to mitigate the risk of cyberattacks.
This latest advisory reflects the increasing need for vigilance in Pakistan’s digital ecosystem, particularly as the use of open-source platforms like WordPress continues to grow among businesses, e-commerce platforms, and content creators. The PTA’s timely alert serves as a reminder of the evolving nature of cyber threats and the critical importance of proactive security measures to protect digital assets.
