Plataforma
wordpress
Componente
kk-star-ratings
Corregido en
5.4.11
CVE-2024-11977 is a high-severity vulnerability affecting the kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, malicious code injection, or complete site takeover. The vulnerability impacts versions of the plugin up to and including 5.4.10. A patch is available; upgrading is the recommended remediation.
The arbitrary shortcode execution vulnerability in kk Star Ratings is particularly dangerous because it bypasses authentication requirements. An attacker can inject malicious shortcodes into the plugin's functionality, leading to a wide range of harmful consequences. This could include injecting JavaScript to steal user credentials, redirecting users to phishing sites, or even gaining remote code execution on the WordPress server. The blast radius extends to all users of the affected plugin, regardless of their access privileges. Successful exploitation could compromise the entire WordPress installation and any data stored within it.
CVE-2024-11977 was publicly disclosed on December 21, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a likely target. It is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Websites using the kk Star Ratings plugin, particularly those with limited security configurations or outdated WordPress installations, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the patch.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/kk-star-ratings/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'kk-star-ratings'• wordpress / composer / npm:
wp plugin list --status=active | grep 'kk-star-ratings'• generic web: Check WordPress plugin directory for discussions or reports related to CVE-2024-11977.
disclosure
Estado del Exploit
EPSS
0.51% (67% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-11977 is to immediately upgrade the kk Star Ratings plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, a WordPress firewall (WAF) configured to block suspicious shortcode execution patterns might offer some protection. Regularly scan your WordPress installation for vulnerable plugins using a security scanner. After upgrade, confirm by attempting to execute a known malicious shortcode through the plugin’s interface and verifying that it is blocked.
Actualice el plugin kk Star Ratings – Rate Post & Collect User Feedbacks a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-11977 is a high-severity vulnerability in the kk Star Ratings WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the entire website.
You are affected if you are using kk Star Ratings version 5.4.10 or earlier. Check your plugin version and upgrade immediately.
Upgrade the kk Star Ratings plugin to the latest version that addresses the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While there are currently no confirmed active exploits, the vulnerability's ease of exploitation makes it a likely target. Monitor your website closely.
Check the kk Star Ratings plugin page on the WordPress plugin directory or the developer's website for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.