Plattform
wordpress
Komponente
buddypress
Behoben in
14.3.4
14.3.4
CVE-2024-11976 is a security vulnerability affecting the BuddyPress plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized code execution and site compromise. The vulnerability impacts versions of BuddyPress up to and including 14.3.3, and a patch is available in version 14.3.4.
The arbitrary shortcode execution vulnerability in BuddyPress poses a significant risk to WordPress websites utilizing the plugin. An attacker could leverage this flaw to inject malicious code into the site through specially crafted shortcodes. This could lead to a variety of attacks, including defacement, data theft, redirection to malicious sites, and even complete site takeover. The ability to execute arbitrary code without authentication dramatically increases the potential impact, as it bypasses standard access controls. Successful exploitation could also allow attackers to gain access to sensitive user data stored within the BuddyPress plugin, such as profile information and private messages. The impact is amplified on sites with shared hosting environments, where a compromised BuddyPress installation could potentially affect other websites on the same server.
CVE-2024-11976 was publicly disclosed on 2026-01-22. Currently, there are no known active campaigns targeting this vulnerability, but the availability of a public proof-of-concept is likely to increase the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of BuddyPress, makes this a potentially attractive target for malicious actors.
WordPress websites utilizing the BuddyPress plugin, particularly those running versions prior to 14.3.4, are at risk. Shared hosting environments are especially vulnerable, as a compromised BuddyPress installation on one site could potentially impact others on the same server. Sites with custom shortcode implementations or plugins that interact with BuddyPress are also at increased risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/buddypress/• wordpress / composer / npm:
wp plugin list --status=active | grep buddypress• wordpress / composer / npm:
wp plugin update buddypress --all• generic web: Check for unusual shortcode usage in website content, particularly in areas accessible to unauthenticated users.
disclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-11976 is to immediately upgrade BuddyPress to version 14.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the BuddyPress plugin to reduce the attack surface. While a direct WAF rule is difficult to implement without specific shortcode patterns, a general rule blocking suspicious shortcode usage could provide a limited layer of protection. Regularly review and audit shortcode usage within your WordPress site to identify and remove any potentially malicious shortcodes. Ensure that WordPress core and all other plugins are also up to date to minimize overall vulnerabilities.
Aktualisieren Sie auf Version 14.3.4 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-11976 is a HIGH severity vulnerability in the BuddyPress plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes.
Yes, if you are using BuddyPress versions 14.3.3 or earlier, you are affected by this vulnerability.
Upgrade BuddyPress to version 14.3.4 or later to remediate the vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
While there are no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of exploitation.
Refer to the official BuddyPress website and WordPress security announcements for the latest information and advisory regarding CVE-2024-11976.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.