Arbitrary Shortcode Execution Vulnerability in Photo Album Plus Plugin
CVE-2024-10958

7.3HIGH

Key Information:

Vendor: Wordpress
Status: WP Photo Album Plus
Vendor: CVE Published:; 10 November 2024

What is CVE-2024-10958?

The WP Photo Album Plus plugin for WordPress has a vulnerability that exposes users to arbitrary shortcode execution through an AJAX action known as getshortcodedrenderedfenodelay. This vulnerability arises when the plugin fails to adequately validate user inputs before executing shortcodes with the do_shortcode function. As a consequence, it empowers unauthenticated attackers to leverage this flaw, potentially executing malicious shortcodes and compromising the security of WordPress installations running versions up to and including 8.8.08.007.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Photo Album Plus * <= 8.8.08.007

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-photo-album...

https://wordpress.org/plugins/wp-photo-album-plus/#develo...

EPSS Score

49% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 10, 2024
Vulnerability Reserved
Nov 6, 2024

Credit

Arkadiusz Hydzik

JSON

Wordpress