WordPress Plugin Vulnerabilities

kk Star Ratings – Rate Post & Collect User Feedbacks < 5.4.10.2 - Unauthenticated Arbitrary Shortcode Execution

Description

The The kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.4.10. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Note: This vulnerability was only partially patched in version 5.4.10.1, and fully patched in 5.4.10.2

Affects Plugins

Plugin icon
kk-star-ratings
Fixed in 5.4.10.2

References

CVE
CVE-2024-11977
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5dea49fb-2703-4754-9abd-5f4e526d5570

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.3 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
397f62e7-9284-4b8e-b209-637e0a3166ee

Timeline

Publicly Published
2024-12-20 (about 1 year ago)
Added
2024-12-20 (about 1 year ago)
Last Updated
2025-01-15 (about 1 year ago)

Other

Published
Title
Published
2026-05-26
Title
WPCode < 2.3.6 - Author+ Remote Code Execution via XML-RPC wp.newPost
Published
2025-05-05
Title
LayoutBoxx <= 0.3.1 - Unauthenticated Arbitrary Shortcode Execution
Published
2021-07-05
Title
Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
Published
2014-09-27
Title
DZS Video Gallery Plugin - RCE & More
Published
2014-08-01
Title
File Gallery 1.7.9 - Settings Page create_function Function Remote Comm& Execution