Platform
wordpress
Component
buddypress
Fixed in
14.3.4
14.3.4
CVE-2024-11976 is a security vulnerability affecting the BuddyPress plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized code execution and site compromise. The vulnerability impacts versions of BuddyPress up to and including 14.3.3, and a patch is available in version 14.3.4.
The arbitrary shortcode execution vulnerability in BuddyPress poses a significant risk to WordPress websites utilizing the plugin. An attacker could leverage this flaw to inject malicious code into the site through specially crafted shortcodes. This could lead to a variety of attacks, including defacement, data theft, redirection to malicious sites, and even complete site takeover. The ability to execute arbitrary code without authentication dramatically increases the potential impact, as it bypasses standard access controls. Successful exploitation could also allow attackers to gain access to sensitive user data stored within the BuddyPress plugin, such as profile information and private messages. The impact is amplified on sites with shared hosting environments, where a compromised BuddyPress installation could potentially affect other websites on the same server.
CVE-2024-11976 was publicly disclosed on 2026-01-22. Currently, there are no known active campaigns targeting this vulnerability, but the availability of a public proof-of-concept is likely to increase the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of BuddyPress, makes this a potentially attractive target for malicious actors.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11976 is to immediately upgrade BuddyPress to version 14.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the BuddyPress plugin to reduce the attack surface. While a direct WAF rule is difficult to implement without specific shortcode patterns, a general rule blocking suspicious shortcode usage could provide a limited layer of protection. Regularly review and audit shortcode usage within your WordPress site to identify and remove any potentially malicious shortcodes. Ensure that WordPress core and all other plugins are also up to date to minimize overall vulnerabilities.
Update to version 14.3.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11976 is a HIGH severity vulnerability in the BuddyPress plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes.
Yes, if you are using BuddyPress versions 14.3.3 or earlier, you are affected by this vulnerability.
Upgrade BuddyPress to version 14.3.4 or later to remediate the vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
While there are no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of exploitation.
Refer to the official BuddyPress website and WordPress security announcements for the latest information and advisory regarding CVE-2024-11976.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.