BuddyPress <= 14.3.3 - प्रमाणीकृत मनमाना शॉर्टकोड निष्पादन
प्लेटफ़ॉर्म
wordpress
घटक
buddypress
में ठीक किया गया
14.3.4
14.3.4
CVE-2024-11976 is a security vulnerability affecting the BuddyPress plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized code execution and site compromise. The vulnerability impacts versions of BuddyPress up to and including 14.3.3, and a patch is available in version 14.3.4.
इस CVE को अपने प्रोजेक्ट में पहचानें
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The arbitrary shortcode execution vulnerability in BuddyPress poses a significant risk to WordPress websites utilizing the plugin. An attacker could leverage this flaw to inject malicious code into the site through specially crafted shortcodes. This could lead to a variety of attacks, including defacement, data theft, redirection to malicious sites, and even complete site takeover. The ability to execute arbitrary code without authentication dramatically increases the potential impact, as it bypasses standard access controls. Successful exploitation could also allow attackers to gain access to sensitive user data stored within the BuddyPress plugin, such as profile information and private messages. The impact is amplified on sites with shared hosting environments, where a compromised BuddyPress installation could potentially affect other websites on the same server.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2024-11976 was publicly disclosed on 2026-01-22. Currently, there are no known active campaigns targeting this vulnerability, but the availability of a public proof-of-concept is likely to increase the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of BuddyPress, makes this a potentially attractive target for malicious actors.
कौन जोखिम में हैअनुवाद हो रहा है…
WordPress websites utilizing the BuddyPress plugin, particularly those running versions prior to 14.3.4, are at risk. Shared hosting environments are especially vulnerable, as a compromised BuddyPress installation on one site could potentially impact others on the same server. Sites with custom shortcode implementations or plugins that interact with BuddyPress are also at increased risk.
पहचान के चरणअनुवाद हो रहा है…
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/buddypress/• wordpress / composer / npm:
wp plugin list --status=active | grep buddypress• wordpress / composer / npm:
wp plugin update buddypress --all• generic web: Check for unusual shortcode usage in website content, particularly in areas accessible to unauthenticated users.
हमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.10% (27% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- कोई नहीं — बिना प्रमाणीकरण के शोषण योग्य।
- User Interaction
- कोई नहीं — स्वचालित और मूक हमला। पीड़ित कुछ नहीं करता।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- निम्न — कुछ डेटा तक आंशिक पहुंच।
- Integrity
- निम्न — हमलावर सीमित दायरे में कुछ डेटा बदल सकता है।
- Availability
- निम्न — आंशिक या रुक-रुक कर सेवा से इनकार।
प्रभावित सॉफ्टवेयर
पैकेज जानकारी
- सक्रिय इंस्टॉलेशन
- 100Kलोकप्रिय
- प्लगइन रेटिंग
- 4.1
- WordPress आवश्यक
- 6.1+
- संगत संस्करण तक
- 6.8.5
- PHP आवश्यक
- 5.6+
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2024-11976 is to immediately upgrade BuddyPress to version 14.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the BuddyPress plugin to reduce the attack surface. While a direct WAF rule is difficult to implement without specific shortcode patterns, a general rule blocking suspicious shortcode usage could provide a limited layer of protection. Regularly review and audit shortcode usage within your WordPress site to identify and remove any potentially malicious shortcodes. Ensure that WordPress core and all other plugins are also up to date to minimize overall vulnerabilities.
कैसे ठीक करें
संस्करण 14.3.4 में अपडेट करें, या एक नया पैच किया गया संस्करण
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2024-11976 — Arbitrary Shortcode in BuddyPress?
CVE-2024-11976 is a HIGH severity vulnerability in the BuddyPress plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes.
Am I affected by CVE-2024-11976 in BuddyPress?
Yes, if you are using BuddyPress versions 14.3.3 or earlier, you are affected by this vulnerability.
How do I fix CVE-2024-11976 in BuddyPress?
Upgrade BuddyPress to version 14.3.4 or later to remediate the vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
Is CVE-2024-11976 being actively exploited?
While there are no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of exploitation.
Where can I find the official BuddyPress advisory for CVE-2024-11976?
Refer to the official BuddyPress website and WordPress security announcements for the latest information and advisory regarding CVE-2024-11976.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।