Arbitrary Shortcode Execution in GamiPress by GamiPress
CVE-2024-13495

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress
Vendor: CVE Published:; 22 January 2025

What is CVE-2024-13495?

The GamiPress plugin, designed for gamification in WordPress, is susceptible to arbitrary shortcode execution due to inadequate validation in the gamipress_ajax_get_logs() function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized actions or compromises within the WordPress environment. All versions up to and including 7.2.1 are affected, emphasizing the need for users to ensure they are running the latest, secure versions to mitigate this risk.

Affected Version(s)

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress * <= 7.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/gamipress/#developers

https://plugins.trac.wordpress.org/browser/gamipress/trun...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2025

Credit

Michael Mazzolini