Arbitrary File Inclusion Vulnerability in Stars Testimonials Plugin
CVE-2024-11429

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Free Responsive Testimonials, Social Proof Reviews, And Customer Reviews – Stars Testimonials
Vendor: CVE Published:; 5 December 2024

What is CVE-2024-11429?

The Stars Testimonials plugin for WordPress, developed by Free Responsive Testimonials, contains a Local File Inclusion vulnerability that affects all versions up to and including 3.3.3. Through the use of the 'stars-testimonials-with-slider-and-masonry-grid' shortcode, authenticated users with contributor-level access or higher can exploit this vulnerability. This allows attackers to include and execute arbitrary PHP files on the server, which can lead to unauthorized access to sensitive data and the potential execution of malicious PHP code. The vulnerability poses significant security risks as it enables bypassing access controls and may facilitate further exploitation on compromised systems.

Affected Version(s)

Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials * <= 3.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/stars-testimon...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2024
Vulnerability Reserved
Nov 19, 2024

Credit

Peter Thaleikis

Wordpress

What is CVE-2024-11429?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit