Arbitrary Shortcode Execution in GamiPress by GamiPress
CVE-2024-13495
7.3HIGH
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 22 January 2025
Summary
The GamiPress plugin, designed for gamification in WordPress, is susceptible to arbitrary shortcode execution due to inadequate validation in the gamipress_ajax_get_logs() function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized actions or compromises within the WordPress environment. All versions up to and including 7.2.1 are affected, emphasizing the need for users to ensure they are running the latest, secure versions to mitigate this risk.
Affected Version(s)
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress * <= 7.2.1
References
CVSS V3.1
Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Credit
Michael Mazzolini