Plateforme
wordpress
Composant
wp-special-textboxes
Corrigé dans
6.2.3
CVE-2024-8481 describes an arbitrary shortcode execution vulnerability affecting the Special Text Boxes plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute shortcodes within comments, potentially compromising the website's functionality and security. The vulnerability impacts versions up to and including 6.2.2, and a fix is available in a later version.
The arbitrary shortcode execution vulnerability allows an attacker to inject malicious shortcodes into comments on a WordPress site using the Special Text Boxes plugin. These shortcodes can then be executed when the comment is displayed, potentially leading to a variety of harmful outcomes. Attackers could inject shortcodes that deface the website, redirect users to malicious sites, steal sensitive data, or even execute arbitrary code on the server. The impact is particularly severe because the vulnerability is unauthenticated, meaning anyone can exploit it without needing a user account.
CVE-2024-8481 was publicly disclosed on September 25, 2024. There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the unauthenticated nature and potential impact, it is considered a high-priority vulnerability to address.
Websites using the Special Text Boxes plugin, particularly those with comment functionality enabled, are at risk. Shared hosting environments where multiple websites share the same server are also at higher risk, as a compromise on one site could potentially impact others. Sites with legacy WordPress configurations or those that haven't regularly updated their plugins are especially vulnerable.
• wordpress / composer / npm:
grep -r 'add_filter\('comment_text', 'do_shortcode'\);' /var/www/html/wp-content/plugins/special-text-boxes/• wordpress / composer / npm:
wp plugin list --status=active | grep 'special-text-boxes'• wordpress / composer / npm:
wp plugin update special-text-boxesdisclosure
Statut de l'Exploit
EPSS
1.43% (percentile 81%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-8481 is to upgrade the Special Text Boxes plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible, consider temporarily disabling comments on affected pages or implementing a Web Application Firewall (WAF) rule to block shortcode execution in comments. A WAF rule could filter out comments containing suspicious shortcodes. Carefully review all comments before publishing to identify and remove any potentially malicious shortcodes. After upgrading, verify the fix by attempting to submit a comment containing a known malicious shortcode and confirming that it is not executed.
Actualice el plugin Special Text Boxes a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-8481 is a vulnerability in the Special Text Boxes WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes via comments, potentially leading to website compromise.
You are affected if you are using the Special Text Boxes plugin in WordPress version 6.2.2 or earlier. Check your plugin versions immediately.
Upgrade the Special Text Boxes plugin to the latest available version to patch the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like disabling comments or using a WAF.
While no public exploits are currently known, the ease of exploitation suggests active exploitation is possible. Monitor your website and implement mitigations proactively.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information regarding CVE-2024-8481.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.