Woody code snippets – Insert Header Footer Code, AdSense Ads < 2.5.1 -Authenticated (Contributor+) Remote Code Execution | CVE 2024-3105 | Plugin Vulnerabilities

Description

The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.

Affects Plugins

Fixed in 2.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

1bd9ae2b-4e7b-46a2-ae8f-5ae3ad1633e4

Timeline

Publicly Published

2024-06-14 (about 2 years ago)

Added

2024-06-14 (about 2 years ago)

Last Updated

2024-06-15 (about 2 years ago)

Other

Published

Title

Published

2024-11-10

Title

WP Photo Album Plus < 8.9.01.001 - Unauthenticated Arbitrary Shortcode Execution via getshortcodedrenderedfenodelay

Published

2025-09-09

Title

Easy Appointments < 3.12.14.1 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-07-29

Title

AI Engine < 2.5.1 - Admin+ RCE

Published

2014-08-01

Title

Checkout Plugin - File Upload Remote Code Execution

Published

2025-11-18

Title

Code Snippets < 3.9.2 - Contributor+ PHP Code Injection via extract() and PHP Filter Chains