Plataforma
wordpress
Componente
authors-list
Corrigido em
2.0.5
CVE-2024-10952 describes an arbitrary shortcode execution vulnerability discovered in the Authors List plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or even complete site takeover. The vulnerability affects versions of the plugin up to and including 2.0.4. A patch is available to address this issue.
The impact of this vulnerability is significant, as it allows unauthenticated attackers to execute arbitrary shortcodes on a WordPress site. Shortcodes can be used to embed various functionalities, including PHP code, which an attacker could leverage to gain control of the website. This could involve injecting malicious scripts, stealing sensitive data stored within the WordPress database, or modifying website content. The ability to execute arbitrary code without authentication dramatically increases the attack surface and potential for widespread compromise, especially on sites with shared hosting environments where multiple websites might be vulnerable.
CVE-2024-10952 was publicly disclosed on December 4, 2024. While no public proof-of-concept (PoC) code has been widely released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the widespread use of WordPress, this vulnerability presents a significant risk.
Websites utilizing the Authors List plugin, particularly those running older, unpatched versions (≤2.0.4), are at risk. Shared hosting environments are especially vulnerable, as multiple websites on a single server could be affected by a single compromised plugin instance. Sites with weak security configurations or infrequent plugin updates are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep Authors List• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep Authors List• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=update_authors_list_ajax | grep -i shortcodedisclosure
Status do Exploit
EPSS
1.09% (percentil 78%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-10952 is to immediately update the Authors List plugin to a version that includes the security patch. If updating is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Authors List plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious AJAX requests targeting the updateauthorslist_ajax action can provide an additional layer of defense. Regularly review WordPress plugin updates and security advisories to stay informed about potential vulnerabilities.
Actualice el plugin Authors List a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-10952 is a HIGH severity vulnerability in the Authors List WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using the Authors List plugin version 2.0.4 or earlier. Check your plugin version and update immediately.
Update the Authors List plugin to the latest version, which contains the security patch. If updating is not possible, temporarily disable the plugin.
While no widespread exploitation has been confirmed, the ease of exploitation suggests attackers are likely scanning for vulnerable instances.
Refer to the Authors List plugin's official website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.