Plataforma
wordpress
Componente
wordpress-popular-posts
Corregido en
7.1.1
CVE-2024-11733 describes an arbitrary shortcode execution vulnerability within the WordPress Popular Posts plugin. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially compromising the entire WordPress website. The vulnerability impacts versions of the plugin up to and including 7.1.0. A patch is available from the plugin developer.
The arbitrary shortcode execution vulnerability presents a significant risk to WordPress websites utilizing the Popular Posts plugin. Attackers can leverage this flaw to inject malicious code, deface the website, redirect users to phishing sites, or even gain control of the underlying server. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making it a particularly dangerous vulnerability. Successful exploitation could lead to data breaches, malware infections, and reputational damage. This vulnerability shares similarities with other shortcode-related vulnerabilities where improper input validation allows for code execution.
CVE-2024-11733 was publicly disclosed on 2025-01-03. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation makes it a likely target for automated attacks. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Websites running WordPress with the Popular Posts plugin installed, particularly those running older versions (≤7.1.0), are at risk. Shared hosting environments where plugin updates are not managed by the website owner are also particularly vulnerable. Sites with limited security monitoring or those relying solely on automatic updates are at increased risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/wordpress-popular-posts/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wordpress-popular-posts'• wordpress / composer / npm:
wp plugin update wordpress-popular-posts --alldisclosure
Estado del Exploit
EPSS
0.59% (69% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-11733 is to immediately upgrade the WordPress Popular Posts plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious shortcode usage can provide an additional layer of defense. Regularly review WordPress plugin usage and ensure all plugins are from trusted sources and kept up-to-date.
Actualice el plugin WordPress Popular Posts a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios por usuarios no autenticados, por lo que es crucial actualizar para mitigar el riesgo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-11733 is a HIGH severity vulnerability affecting WordPress Popular Posts plugin versions up to 7.1.0, allowing unauthenticated attackers to execute arbitrary shortcodes.
Yes, if you are using WordPress Popular Posts plugin version 7.1.0 or earlier, you are vulnerable to this arbitrary shortcode execution flaw.
Upgrade the WordPress Popular Posts plugin to the latest available version to patch this vulnerability. If immediate upgrade is not possible, disable the plugin temporarily.
While no widespread exploitation has been confirmed, the ease of exploitation suggests it is a potential target for attackers. Monitor security advisories.
Refer to the WordPress Popular Posts plugin developer's website or the WordPress security announcements page for the official advisory.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.