Unauthenticated Arbitrary Shortcode Execution Vulnerability in The Grid Plus
CVE-2024-10910

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Grid Plus – Unlimited Grid Layout
Vendor: CVE Published:; 12 December 2024

Summary

The Grid Plus plugin for WordPress has a vulnerability that allows arbitrary shortcode execution through the grid_plus_load_by_category AJAX action. This issue affects all versions up to and including 1.3.5. The lack of proper validation before executing the do_shortcode function creates an opportunity for unauthenticated attackers to execute malicious shortcodes. This vulnerability poses a significant security risk, as it can be exploited by anyone without authentication, possibly leading to unauthorized actions within the affected WordPress sites. Users are advised to review the plugin's security settings and consider updating to the latest version to mitigate this vulnerability.

Affected Version(s)

Grid Plus – Unlimited grid layout * <= 1.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/grid-plus/tags...

https://wordpress.org/plugins/grid-plus/#developers

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Nov 6, 2024

Credit

Arkadiusz Hydzik