Platform
wordpress
Component
wp-photo-album-plus
CVE-2024-10958 describes an arbitrary shortcode execution vulnerability discovered in the WP Photo Album Plus plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, malicious code execution, or data compromise. The vulnerability affects versions of the plugin up to and including 8.8.08.007. A patch is available to address this issue.
The impact of this vulnerability is significant, as it allows an attacker to execute arbitrary shortcodes without authentication. This means an attacker could inject malicious code into the website, potentially gaining control of the entire site. Attackers could deface the website, steal sensitive data, redirect users to malicious sites, or install malware. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a high-risk vulnerability. The potential for widespread impact is high, given the popularity of WordPress and the plugin’s usage.
CVE-2024-10958 was publicly disclosed on 2024-11-10. While no public proof-of-concept (PoC) has been widely released, the ease of exploiting arbitrary shortcode execution suggests a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Websites using the WP Photo Album Plus plugin, particularly those running older versions (≤8.8.08.007), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. Sites with weak WordPress security practices, such as outdated plugins or default passwords, are also at increased risk.
• wordpress / composer / npm:
grep -r 'getshortcodedrenderedfenodelay' /var/www/html/wp-content/plugins/wp-photo-album-plus/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-photo-album-plus'• wordpress / composer / npm:
wp plugin update wp-photo-album-plus --alldisclosure
Exploit Status
EPSS
55.66% (98% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-10958 is to immediately upgrade the WP Photo Album Plus plugin to the latest available version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious AJAX requests targeting the getshortcodedrenderedfenodelay action can provide an additional layer of protection. Regularly review WordPress plugin security updates and apply them promptly to minimize the attack surface.
Actualice el plugin WP Photo Album Plus a la última versión disponible. La vulnerabilidad permite la ejecución de código arbitrario, por lo que es crucial actualizar lo antes posible.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-10958 is a HIGH severity vulnerability affecting WP Photo Album Plus versions up to 8.8.08.007, allowing unauthenticated attackers to execute arbitrary shortcodes due to inadequate input validation.
If you are using WP Photo Album Plus version 8.8.08.007 or earlier, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately.
The recommended fix is to upgrade the WP Photo Album Plus plugin to the latest available version. Ensure your WordPress installation is also up-to-date.
While no widespread exploitation has been confirmed, the ease of exploiting arbitrary shortcode execution suggests a high probability of exploitation. Monitor security advisories for updates.
Refer to the WP Photo Album Plus official website and WordPress plugin repository for the latest security updates and advisories related to CVE-2024-10958.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.