Platform
wordpress
Component
kk-star-ratings
Fixed in
5.4.11
CVE-2024-11977 is a high-severity vulnerability affecting the kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, malicious code injection, or complete site takeover. The vulnerability impacts versions of the plugin up to and including 5.4.10. A patch is available; upgrading is the recommended remediation.
The arbitrary shortcode execution vulnerability in kk Star Ratings is particularly dangerous because it bypasses authentication requirements. An attacker can inject malicious shortcodes into the plugin's functionality, leading to a wide range of harmful consequences. This could include injecting JavaScript to steal user credentials, redirecting users to phishing sites, or even gaining remote code execution on the WordPress server. The blast radius extends to all users of the affected plugin, regardless of their access privileges. Successful exploitation could compromise the entire WordPress installation and any data stored within it.
CVE-2024-11977 was publicly disclosed on December 21, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a likely target. It is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.51% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11977 is to immediately upgrade the kk Star Ratings plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, a WordPress firewall (WAF) configured to block suspicious shortcode execution patterns might offer some protection. Regularly scan your WordPress installation for vulnerable plugins using a security scanner. After upgrade, confirm by attempting to execute a known malicious shortcode through the plugin’s interface and verifying that it is blocked.
Actualice el plugin kk Star Ratings – Rate Post & Collect User Feedbacks a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11977 is a high-severity vulnerability in the kk Star Ratings WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the entire website.
You are affected if you are using kk Star Ratings version 5.4.10 or earlier. Check your plugin version and upgrade immediately.
Upgrade the kk Star Ratings plugin to the latest version that addresses the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While there are currently no confirmed active exploits, the vulnerability's ease of exploitation makes it a likely target. Monitor your website closely.
Check the kk Star Ratings plugin page on the WordPress plugin directory or the developer's website for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.