PT-2024-16660 · WordPress · Authors List

Arkadiusz Hydzik

Published

2024-12-04

Updated

2024-12-09

CVE-2024-10952

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions The Authors List plugin for WordPress versions up to, and including, 2.0.4

Description The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software permitting users to execute an action that does not properly validate a value before running do shortcode. This is possible via the update authors list ajax AJAX action.

Recommendations For versions up to, and including, 2.0.4, consider disabling the update authors list ajax AJAX action until a patch is available. Restrict access to the do shortcode function to minimize the risk of exploitation. Avoid using the update authors list ajax action in the affected API endpoint until the issue is resolved.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2024-10952

Affected Products

Authors List

PT-2024-16660 · WordPress · Authors List

CVE-2024-10952

Weakness Enumeration

Related Identifiers

Affected Products

References · 11