Arbitrary Shortcode Execution Vulnerability in Photo Album Plus Plugin
CVE-2024-10958

7.3HIGH

Key Information:

Vendor: Wordpress
Status: WP Photo Album Plus
Vendor: CVE Published:; 10 November 2024

Summary

The WP Photo Album Plus plugin for WordPress has a vulnerability that exposes users to arbitrary shortcode execution through an AJAX action known as getshortcodedrenderedfenodelay. This vulnerability arises when the plugin fails to adequately validate user inputs before executing shortcodes with the do_shortcode function. As a consequence, it empowers unauthenticated attackers to leverage this flaw, potentially executing malicious shortcodes and compromising the security of WordPress installations running versions up to and including 8.8.08.007.

Affected Version(s)

WP Photo Album Plus * <= 8.8.08.007

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-photo-album...

https://wordpress.org/plugins/wp-photo-album-plus/#develo...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 10, 2024
Vulnerability Reserved
Nov 6, 2024

Credit

Arkadiusz Hydzik