CVE-2024-10909

Name of the Vulnerable Software and Affected Versions Pojo Forms plugin for WordPress versions 1.4.7 and earlier

Description The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via the form preview shortcode AJAX action. This is due to the software allowing users to execute an action that does not properly validate a value before running do shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Recommendations For versions 1.4.7 and earlier, update to version 1.4.8 or later to partially fix the issue. As a temporary workaround, consider restricting access to the form preview shortcode AJAX action to minimize the risk of exploitation. Additionally, restrict the execution of arbitrary shortcodes to prevent potential attacks.