Plataforma
wordpress
Componente
enable-shortcodes-inside-widgetscomments-and-experts
Corrigido em
1.0.1
CVE-2024-9846 describes an arbitrary shortcode execution vulnerability within the Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or remote code execution. The vulnerability impacts versions up to and including 1.0.0. A patch is expected from the plugin developer.
The impact of CVE-2024-9846 is significant due to its ease of exploitation and the potential for widespread compromise. An attacker can leverage this vulnerability to execute arbitrary PHP code through shortcodes, effectively gaining control over the affected WordPress website. This could involve modifying content, injecting malware, stealing sensitive data (user credentials, database information), or even pivoting to other systems on the network. The lack of authentication required for exploitation further amplifies the risk, making it accessible to a wide range of attackers.
CVE-2024-9846 was publicly disclosed on 2024-10-30. Currently, no public proof-of-concept (POC) exploits have been released, but the vulnerability's ease of exploitation suggests that it is likely to be targeted. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Websites using the Enable Shortcodes inside Widgets,Comments and Experts plugin, particularly those running versions prior to the patch release, are at risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/enable-shortcodes-inside-widgets-comments-and-experts/• wordpress / composer / npm:
wp plugin list --status=inactive | grep enable-shortcodes• wordpress / composer / npm:
wp plugin list | grep enable-shortcodesdisclosure
Status do Exploit
EPSS
0.78% (percentil 74%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-9846 is to upgrade the Enable Shortcodes inside Widgets,Comments and Experts plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict shortcode usage within widgets and comments to a predefined whitelist of safe shortcodes. Monitor WordPress logs for suspicious shortcode activity and implement a Web Application Firewall (WAF) with rules to block potentially malicious shortcode injections.
Actualice el plugin Enable Shortcodes inside Widgets,Comments and Experts a una versión posterior a la 1.0.0. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-9846 is a vulnerability in the Enable Shortcodes plugin for WordPress that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation, potentially leading to website compromise.
You are affected if you are using the Enable Shortcodes plugin version 1.0.0 or earlier. Check your plugin version and upgrade as soon as a patch is available.
Upgrade the Enable Shortcodes plugin to the latest patched version. Until a patch is released, disable the plugin or restrict shortcode usage.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests it is likely to be targeted. Monitor security advisories for updates.
Check the plugin developer's website or WordPress plugin repository for the official advisory and patch release.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.