Unsafe Shortcode Execution Vulnerability
CVE-2024-10681
6.3MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 6 December 2024
Summary
The ARMember – Membership Plugin for WordPress has a significant vulnerability that allows malicious actors to execute arbitrary shortcodes. This issue arises from the plugin's failure to properly validate input values before processing the do_shortcode function. As a result, authenticated attackers with subscriber-level access or higher can exploit this flaw, potentially leading to unauthorized actions within the website. It's crucial for users of ARMember to address this vulnerability promptly to safeguard their sites against possible manipulation and misuse.
Affected Version(s)
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup * <= 4.0.51
References
CVSS V3.1
Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Arkadiusz Hydzik