Unauthenticated Shortcode Execution Vulnerability in Special Text Boxes Plugin
CVE-2024-8481

7.3HIGH

Key Information:

Vendor: Special Text Boxes
Status: Special Text Boxes
Vendor: CVE Published:; 25 September 2024

Summary

The Special Text Boxes plugin for WordPress contains a vulnerability that permits arbitrary shortcode execution within comment sections. This flaw exists in all versions up to and including 6.2.2, stemming from the addition of the filter 'add_filter('comment_text', 'do_shortcode');'. This configuration enables unauthenticated attackers to execute malicious shortcodes by injecting them into comments, posing serious security risks for websites using this plugin. Administrators are advised to immediately review their plugin versions and consider applying the necessary patches or disabling the plugin until a secure version is released.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-special-tex...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 25, 2024