Arbitrary Shortcode Execution Vulnerability in The Authors List Plugin
CVE-2024-10952

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Authors List
Vendor: CVE Published:; 4 December 2024

What is CVE-2024-10952?

The Authors List plugin for WordPress is impacted by a vulnerability that allows for arbitrary shortcode execution. This issue arises from the update_authors_list_ajax AJAX action, which fails to properly validate user-supplied input before executing do_shortcode. As a result, unauthenticated attackers can exploit this weakness to run arbitrary shortcodes, potentially leading to unauthorized actions and code execution within WordPress environments. All versions of the plugin up to and including 2.0.4 are affected, necessitating prompt updates to mitigate any risks associated with this vulnerability.

Affected Version(s)

Authors List * <= 2.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/authors-list/t...

https://wordpress.org/plugins/authors-list/#developers

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2024
Vulnerability Reserved
Nov 6, 2024

Credit

Arkadiusz Hydzik