Plattform
wordpress
Komponente
auto-date-year-month
Behoben in
2.0.2
CVE-2024-9837 describes an arbitrary shortcode execution vulnerability within the AADMY – Add Auto Date Month Year Into Posts plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or even remote code execution. The vulnerability impacts versions of the plugin up to and including 2.0.1. A patch is expected from the plugin developer.
The impact of this vulnerability is significant due to its ease of exploitation and the potential for widespread damage. An attacker can leverage this flaw to inject malicious shortcodes into the WordPress site, which could then be executed by other users or even the system itself. This could lead to the execution of arbitrary PHP code, allowing the attacker to gain full control of the website. The attacker could steal sensitive data, modify content, redirect users to malicious sites, or install malware. This vulnerability is particularly concerning given the popularity of WordPress and the potential for large-scale exploitation if left unaddressed.
CVE-2024-9837 was publicly disclosed on 2024-10-15. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and vulnerability databases for updates on exploitation activity.
Websites using the AADMY – Add Auto Date Month Year Into Posts plugin, particularly those with limited security configurations or shared hosting environments, are at risk. Sites with default WordPress configurations and those that haven't implemented robust access controls are especially vulnerable.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/aadmy-add-auto-date-month-year-into-posts/• wordpress / composer / npm:
wp plugin list --status=inactive | grep aadmy• wordpress / composer / npm:
wp plugin list | grep aadmydisclosure
Exploit-Status
EPSS
1.75% (83% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9837 is to upgrade the AADMY – Add Auto Date Month Year Into Posts plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict access to the plugin's settings page to administrators only. Review your WordPress site for any suspicious shortcodes or unexpected behavior. Implement a Web Application Firewall (WAF) with rules to block potentially malicious shortcode execution attempts.
Actualice el plugin AADMY – Add Auto Date Month Year Into Posts a una versión posterior a la 2.0.1. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9837 is a HIGH severity vulnerability in the AADMY WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using the AADMY – Add Auto Date Month Year Into Posts plugin version 2.0.1 or earlier.
Upgrade the AADMY plugin to the latest available version as soon as a patch is released. Disable the plugin as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Check the AADMY plugin developer's website or WordPress plugin repository for the official advisory and patch release.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.