Platform
wordpress
Component
uix-shortcodes
Opgelost in
1.9.10
CVE-2024-9772 describes an arbitrary shortcode execution vulnerability within the Uix Shortcodes – Compatible with Gutenberg plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially compromising website functionality and data integrity. The vulnerability affects versions of the plugin up to and including 1.9.9. A patch is available to address this issue.
The arbitrary shortcode execution vulnerability presents a significant risk to WordPress websites utilizing the Uix Shortcodes plugin. An attacker could leverage this flaw to inject malicious code into the website's content, leading to defacement, redirection to phishing sites, or even the execution of arbitrary commands on the server. The lack of authentication required for exploitation expands the potential attack surface, making the vulnerability particularly concerning. Successful exploitation could also lead to data breaches if the shortcodes are used to access sensitive information or interact with databases.
CVE-2024-9772 was publicly disclosed on 2024-10-26. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation and the lack of authentication requirements suggest a potential for active exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
Websites running WordPress with the Uix Shortcodes plugin installed, particularly those with limited security configurations or outdated plugin versions, are at risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/uix-shortcodes/• wordpress / composer / npm:
wp plugin list --status=inactive | grep uix-shortcodes• wordpress / composer / npm:
wp plugin update uix-shortcodesdisclosure
Exploit Status
EPSS
9.35% (93% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-9772 is to immediately upgrade the Uix Shortcodes plugin to a patched version. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict input validation on shortcode attributes can help reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block suspicious shortcode patterns can also provide an additional layer of protection. After upgrading, verify the fix by attempting to execute a known malicious shortcode and confirming that it is blocked.
Actualice el plugin Uix Shortcodes – Compatible with Gutenberg a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-9772 is a HIGH severity vulnerability in the Uix Shortcodes plugin for WordPress that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using Uix Shortcodes plugin version 1.9.9 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Uix Shortcodes plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin and consider implementing WAF rules.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for active campaigns. Monitor security advisories for updates.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.