プラットフォーム
wordpress
コンポーネント
enable-shortcodes-inside-widgetscomments-and-experts
修正版
1.0.1
CVE-2024-9846 describes an arbitrary shortcode execution vulnerability within the Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or remote code execution. The vulnerability impacts versions up to and including 1.0.0. A patch is expected from the plugin developer.
The impact of CVE-2024-9846 is significant due to its ease of exploitation and the potential for widespread compromise. An attacker can leverage this vulnerability to execute arbitrary PHP code through shortcodes, effectively gaining control over the affected WordPress website. This could involve modifying content, injecting malware, stealing sensitive data (user credentials, database information), or even pivoting to other systems on the network. The lack of authentication required for exploitation further amplifies the risk, making it accessible to a wide range of attackers.
CVE-2024-9846 was publicly disclosed on 2024-10-30. Currently, no public proof-of-concept (POC) exploits have been released, but the vulnerability's ease of exploitation suggests that it is likely to be targeted. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Websites using the Enable Shortcodes inside Widgets,Comments and Experts plugin, particularly those running versions prior to the patch release, are at risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/enable-shortcodes-inside-widgets-comments-and-experts/• wordpress / composer / npm:
wp plugin list --status=inactive | grep enable-shortcodes• wordpress / composer / npm:
wp plugin list | grep enable-shortcodesdisclosure
エクスプロイト状況
EPSS
0.78% (74% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-9846 is to upgrade the Enable Shortcodes inside Widgets,Comments and Experts plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict shortcode usage within widgets and comments to a predefined whitelist of safe shortcodes. Monitor WordPress logs for suspicious shortcode activity and implement a Web Application Firewall (WAF) with rules to block potentially malicious shortcode injections.
Actualice el plugin Enable Shortcodes inside Widgets,Comments and Experts a una versión posterior a la 1.0.0. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-9846 is a vulnerability in the Enable Shortcodes plugin for WordPress that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation, potentially leading to website compromise.
You are affected if you are using the Enable Shortcodes plugin version 1.0.0 or earlier. Check your plugin version and upgrade as soon as a patch is available.
Upgrade the Enable Shortcodes plugin to the latest patched version. Until a patch is released, disable the plugin or restrict shortcode usage.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests it is likely to be targeted. Monitor security advisories for updates.
Check the plugin developer's website or WordPress plugin repository for the official advisory and patch release.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。