Plataforma
wordpress
Componente
gamipress
Corregido en
7.2.2
CVE-2024-13495 describes an arbitrary shortcode execution vulnerability discovered in the GamiPress WordPress plugin. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or even complete server compromise. The vulnerability affects versions of GamiPress up to and including 7.2.1. A patch is expected from the vendor.
The impact of this vulnerability is significant due to its ease of exploitation and the potential for widespread damage. An attacker could leverage this flaw to inject malicious shortcodes into the WordPress site, allowing them to execute arbitrary PHP code. This could lead to the theft of sensitive user data, modification of website content, or even the complete takeover of the WordPress installation. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making it a particularly dangerous vulnerability. Successful exploitation could also lead to denial of service by injecting shortcodes that consume excessive server resources.
This vulnerability was publicly disclosed on 2025-01-22. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests that a PoC is likely to emerge soon. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on shortcode execution aligns with common WordPress attack vectors.
Websites utilizing the GamiPress plugin, particularly those with limited security hardening or those running older, unpatched versions of WordPress, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also particularly vulnerable, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'gamipress_ajax_get_logs()' /var/www/html/wp-content/plugins/gamipress/• wordpress / composer / npm:
wp plugin list --status=all | grep GamiPress• wordpress / composer / npm:
wp plugin update gamipress --alldisclosure
Estado del Exploit
EPSS
0.83% (75% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-13495 is to upgrade to the latest version of the GamiPress plugin as soon as a patched version is released by the vendor. Until a patch is available, consider temporarily disabling the gamipressajaxget_logs() function or restricting access to it. Implementing a Web Application Firewall (WAF) with rules to block suspicious shortcode execution attempts can provide an additional layer of defense. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface.
Actualice el plugin GamiPress a la versión más reciente disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios sin autenticación, por lo que es crucial actualizar para proteger su sitio web.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-13495 is a HIGH severity vulnerability in the GamiPress WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using GamiPress version 7.2.1 or earlier. Check your plugin version and upgrade as soon as a patch is available.
Upgrade to the latest version of the GamiPress plugin as soon as a patch is released by the vendor. Until then, consider disabling the vulnerable function or implementing a WAF.
While no active exploitation has been confirmed, the ease of exploitation suggests that it is likely to be targeted soon.
Check the official GamiPress website and WordPress plugin repository for updates and security advisories related to CVE-2024-13495.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.