Plattform
wordpress
Komponente
paid-member-subscriptions
Behoben in
2.13.1
CVE-2024-10261 describes an arbitrary shortcode execution vulnerability discovered in the Paid Membership Subscriptions plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized access and modification of website content. The vulnerability impacts versions of the plugin up to and including 2.13.0. A patch is available in later versions.
The arbitrary shortcode execution vulnerability is particularly dangerous because it bypasses authentication. An attacker can inject malicious shortcodes into the system, leading to a wide range of consequences. This could include defacing the website, injecting malicious code into pages, stealing sensitive data (if the plugin handles user data), or even gaining complete control of the WordPress installation. The impact is amplified if the website hosts sensitive information or processes user payments, as attackers could exploit this vulnerability to steal credentials or financial data. The ability to execute arbitrary shortcodes essentially grants the attacker the ability to run any code that a WordPress user with sufficient permissions could run.
This vulnerability was publicly disclosed on 2024-11-09. Currently, there are no reports of active exploitation in the wild, but the availability of a public vulnerability description increases the risk. No KEV listing exists at the time of writing. Public proof-of-concept code is likely to emerge, increasing the potential for exploitation.
WordPress websites utilizing the Paid Membership Subscriptions plugin, particularly those running versions 2.13.0 or earlier, are at risk. Sites with limited security monitoring or those that haven't implemented a robust plugin update process are especially vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider should also be monitored closely.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/paid-membership-subscriptions/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Paid Membership Subscriptions'• wordpress / composer / npm:
wp plugin update --alldisclosure
Exploit-Status
EPSS
1.23% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10261 is to immediately upgrade the Paid Membership Subscriptions plugin to a version patched against this vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's settings or disabling shortcode execution within the plugin's functionality. While not a complete solution, this can reduce the attack surface. Review WordPress user roles and permissions to ensure that only authorized users have access to sensitive areas of the site. Monitor WordPress access logs for suspicious activity, particularly attempts to execute unusual shortcodes.
Actualice el plugin Paid Membership Subscriptions a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios sin autenticación, por lo que es crucial actualizar para mitigar el riesgo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10261 is a HIGH severity vulnerability in the Paid Membership Subscriptions plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
Yes, if you are using Paid Membership Subscriptions plugin versions 2.13.0 or earlier, you are vulnerable to this arbitrary shortcode execution flaw.
Upgrade the Paid Membership Subscriptions plugin to a version newer than 2.13.0. If immediate upgrade is not possible, consider temporary restrictions on shortcode functionality.
While there are no confirmed reports of active exploitation, the availability of potential proof-of-concept code increases the risk of exploitation.
Refer to the official Paid Membership Subscriptions website and WordPress plugin repository for the latest security advisories and updates related to CVE-2024-10261.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.