Platform
wordpress
Component
authors-list
Fixed in
2.0.5
CVE-2024-10952 describes an arbitrary shortcode execution vulnerability discovered in the Authors List plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or even complete site takeover. The vulnerability affects versions of the plugin up to and including 2.0.4. A patch is available to address this issue.
The impact of this vulnerability is significant, as it allows unauthenticated attackers to execute arbitrary shortcodes on a WordPress site. Shortcodes can be used to embed various functionalities, including PHP code, which an attacker could leverage to gain control of the website. This could involve injecting malicious scripts, stealing sensitive data stored within the WordPress database, or modifying website content. The ability to execute arbitrary code without authentication dramatically increases the attack surface and potential for widespread compromise, especially on sites with shared hosting environments where multiple websites might be vulnerable.
CVE-2024-10952 was publicly disclosed on December 4, 2024. While no public proof-of-concept (PoC) code has been widely released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the widespread use of WordPress, this vulnerability presents a significant risk.
Exploit Status
EPSS
1.09% (78% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10952 is to immediately update the Authors List plugin to a version that includes the security patch. If updating is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Authors List plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious AJAX requests targeting the updateauthorslist_ajax action can provide an additional layer of defense. Regularly review WordPress plugin updates and security advisories to stay informed about potential vulnerabilities.
Actualice el plugin Authors List a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10952 is a HIGH severity vulnerability in the Authors List WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using the Authors List plugin version 2.0.4 or earlier. Check your plugin version and update immediately.
Update the Authors List plugin to the latest version, which contains the security patch. If updating is not possible, temporarily disable the plugin.
While no widespread exploitation has been confirmed, the ease of exploitation suggests attackers are likely scanning for vulnerable instances.
Refer to the Authors List plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.