Plattform
wordpress
Komponente
uix-shortcodes
Behoben in
1.9.10
CVE-2024-9772 describes an arbitrary shortcode execution vulnerability within the Uix Shortcodes – Compatible with Gutenberg plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially compromising website functionality and data integrity. The vulnerability affects versions of the plugin up to and including 1.9.9. A patch is available to address this issue.
The arbitrary shortcode execution vulnerability presents a significant risk to WordPress websites utilizing the Uix Shortcodes plugin. An attacker could leverage this flaw to inject malicious shortcodes, which could then be executed by the WordPress server. This could result in the attacker gaining control over the website's content, injecting malicious scripts, redirecting users to phishing sites, or even executing arbitrary code on the server. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The potential impact extends beyond simple defacement, potentially leading to data breaches and compromise of sensitive user information.
CVE-2024-9772 was publicly disclosed on 2024-10-26. No public proof-of-concept (POC) code has been widely reported as of this writing, but the vulnerability's nature makes it likely that a POC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the plugin's popularity, it is reasonable to expect active exploitation attempts in the near future.
Websites running WordPress with the Uix Shortcodes plugin installed, particularly those with limited security configurations or outdated plugin versions, are at risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/uix-shortcodes/• wordpress / composer / npm:
wp plugin list --status=inactive | grep uix-shortcodes• wordpress / composer / npm:
wp plugin update uix-shortcodesdisclosure
Exploit-Status
EPSS
9.35% (93% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9772 is to immediately upgrade the Uix Shortcodes – Compatible with Gutenberg plugin to a patched version. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict input validation on any user-supplied data used within shortcodes can help reduce the attack surface. Regularly review WordPress plugin usage and remove any unnecessary or outdated plugins. After upgrading, confirm the fix by attempting to execute a known malicious shortcode and verifying that it is properly sanitized and does not execute.
Actualice el plugin Uix Shortcodes – Compatible with Gutenberg a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9772 is a HIGH severity vulnerability in the Uix Shortcodes plugin for WordPress that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using Uix Shortcodes plugin version 1.9.9 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Uix Shortcodes plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin and consider implementing WAF rules.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for active campaigns. Monitor security advisories for updates.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.