Arbitrary Shortcode Execution Vulnerability in Uix Slideshow Plugin
CVE-2024-9839

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Uix Slideshow
Vendor: CVE Published:; 16 November 2024

Summary

The Uix Slideshow plugin for WordPress is susceptible to arbitrary shortcode execution across all versions up to and including 1.6.5. This vulnerability arises from inadequate validation of inputs when executing shortcodes, allowing unauthenticated attackers to manipulate this functionality. As a consequence, an attacker could execute arbitrary shortcodes, potentially leading to unauthorized actions or exposure of sensitive site data.

Affected Version(s)

Uix Slideshow * <= 1.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/uix-slideshow/#developers

https://plugins.trac.wordpress.org/browser/uix-slideshow/...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 16, 2024
Vulnerability Reserved
Oct 10, 2024

Credit

Francesco Carlucci