Plataforma
wordpress
Componente
simple-spoiler
Corregido en
1.3.1
CVE-2024-8479 is a critical vulnerability affecting versions 1.2 through 1.3 of the Simple Spoiler WordPress plugin. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the entire WordPress site. The vulnerability stems from the plugin’s addition of the addfilter('commenttext', 'do_shortcode'); filter, which processes all shortcodes within comments. A patch is available.
The arbitrary shortcode execution vulnerability presents a significant risk to WordPress sites using the Simple Spoiler plugin. An attacker can inject malicious shortcodes into comments, which will then be executed by the server. This could allow them to execute arbitrary PHP code, deface the website, steal sensitive data, or even gain complete control of the server. The impact is amplified by the fact that the vulnerability requires no authentication, making it easily exploitable. Successful exploitation could lead to data breaches, denial of service, and complete site compromise, mirroring the impact of other shortcode execution vulnerabilities in WordPress plugins.
CVE-2024-8479 was publicly disclosed on September 14, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation suggests it could become a target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's simplicity.
WordPress sites utilizing the Simple Spoiler plugin, particularly those running versions 1.2 and 1.3, are at risk. Shared hosting environments where plugin updates are not managed by the site administrator are especially vulnerable, as are sites with weak comment moderation practices.
• wordpress / composer / npm:
grep -r 'add_filter\('comment_text', 'do_shortcode';\)' plugins/simple-spoiler/• wordpress / composer / npm:
wp plugin list | grep simple-spoiler• wordpress / composer / npm:
wp plugin update simple-spoiler --alldisclosure
Estado del Exploit
EPSS
1.15% (78% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-8479 is to immediately upgrade the Simple Spoiler plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests containing suspicious shortcodes in comment fields. Regularly review WordPress comment spam filters to identify and remove any potentially malicious comments. After upgrading, confirm the fix by attempting to inject a simple shortcode into a comment and verifying that it is not executed.
Actualice el plugin Simple Spoiler a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios por usuarios no autenticados, por lo que es crucial actualizar para mitigar el riesgo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-8479 is a HIGH severity vulnerability in the Simple Spoiler WordPress plugin (versions 1.2–1.3) allowing unauthenticated attackers to execute arbitrary shortcodes through comment injection, potentially leading to site takeover.
If you are using the Simple Spoiler WordPress plugin in versions 1.2 or 1.3, you are potentially affected by this vulnerability. Immediate action is required.
The recommended fix is to upgrade the Simple Spoiler plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin and implement WAF rules to block malicious shortcodes.
As of September 2024, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the WordPress plugin repository and the Simple Spoiler plugin developer's website for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.