Arbitrary Shortcode Execution Vulnerability in The Authors List Plugin
CVE-2024-10952

7.3HIGH

Key Information:

Vendor

Wordpress

Vendor
CVE Published:
4 December 2024

What is CVE-2024-10952?

The Authors List plugin for WordPress is impacted by a vulnerability that allows for arbitrary shortcode execution. This issue arises from the update_authors_list_ajax AJAX action, which fails to properly validate user-supplied input before executing do_shortcode. As a result, unauthenticated attackers can exploit this weakness to run arbitrary shortcodes, potentially leading to unauthorized actions and code execution within WordPress environments. All versions of the plugin up to and including 2.0.4 are affected, necessitating prompt updates to mitigate any risks associated with this vulnerability.

Affected Version(s)

Authors List * <= 2.0.4

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Hydzik
.
The Cyber Security Vulnerability Database.