CVE-2024-12018

Name of the Vulnerable Software and Affected Versions Snippet Shortcodes plugin for WordPress versions up to and including 4.1.6

Description The issue is related to missing authorization, allowing authenticated attackers with Subscriber-level access and above to delete the plugin's shortcodes. A nonce is used as authentication, but its value is leaked, enabling the unauthorized deletion.

Recommendations For versions up to and including 4.1.6, update to a version higher than 4.1.6 to resolve the issue. As a temporary workaround, consider restricting access to the shortcodes deletion functionality to minimize the risk of exploitation.