Platform
wordpress
Component
gamipress
Opgelost in
7.1.6
CVE-2024-11036 describes an arbitrary shortcode execution vulnerability discovered in the GamiPress WordPress plugin. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the entire WordPress site. The vulnerability affects versions of GamiPress up to and including 7.1.5, and a patch is available from the vendor.
The impact of this vulnerability is significant. An attacker can leverage the gamipressgetuser_earnings AJAX action to inject and execute arbitrary shortcodes. Shortcodes can be used to insert malicious content, redirect users to phishing sites, execute arbitrary PHP code, or even gain complete control of the WordPress installation. This could lead to data breaches, defacement of the website, or the deployment of malware. The lack of authentication required makes this vulnerability particularly concerning, as any external user can potentially exploit it.
This vulnerability was publicly disclosed on November 19, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the lack of authentication make it a likely target for malicious actors. No KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the GamiPress plugin, particularly those running versions prior to 7.1.5, are at risk. Shared hosting environments are especially vulnerable, as attackers may be able to exploit this vulnerability through other compromised accounts on the same server. Sites with weak access controls or outdated security practices are also at increased risk.
• wordpress / composer / npm:
grep -r 'gamipress_get_user_earnings' /var/www/html/wp-content/plugins/gamipress/• wordpress / composer / npm:
wp plugin list --status=active | grep gamipress• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=gamipress_get_user_earningsdisclosure
Exploit Status
EPSS
1.84% (83% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade GamiPress to a version newer than 7.1.5, as the vendor has released a patch to address the vulnerability. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting access to the gamipressgetuser_earnings AJAX action. This can be achieved through WordPress access control plugins or custom code that validates user roles before allowing access to the endpoint. Regularly scan your WordPress installation for vulnerabilities using security plugins and keep all plugins and themes updated.
Actualice el plugin GamiPress a una versión posterior a la 7.1.5. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-11036 is a vulnerability in the GamiPress WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes, potentially leading to site takeover. It affects versions up to 7.1.5 and has a HIGH severity rating.
You are affected if you are using GamiPress version 7.1.5 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade GamiPress to a version newer than 7.1.5. If immediate upgrading is not possible, consider temporary workarounds like restricting access to the vulnerable AJAX action.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a likely target. Monitor your site closely for suspicious activity.
Refer to the GamiPress website and WordPress plugin repository for the latest security updates and advisories related to CVE-2024-11036.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.