Head, Footer and Post Injections < 3.3.1 – Authenticated (Administrator+) PHP Code Injection in Multisite Environments | CVE 2024-13900

Affects Plugins

header-footer

Fixed in 3.3.1

References

CVE

CVE-2024-13900

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5177bde6-4922-48ee-9155-577c392809a0

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

4.1 (medium)

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

027758eb-28dd-435e-9857-898b63c9dbff

Timeline

Publicly Published

2025-02-20 (about 1 year ago)

Added

2025-02-20 (about 1 year ago)

Last Updated

2025-02-21 (about 1 year ago)

Other

Published

Title

Published

2025-05-22

Title

MetalpriceAPI < 1.1.5 - Contributor+ Remote Code Execution

Published

2025-05-07

Title

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.9.2 - Authenticated (Custom) Limited Code Execution via get_table_records Function

Published

2025-02-24

Title

Ark Theme Core < 1.71.0 - Unauthenticated Remote Code Execution

Published

2025-08-02

Title

Doctreat < 1.6.8 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2026-04-03

Title

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress < 4.16.12 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields