AI Infographic Maker < 5.0.0 – Unauthenticated Arbitrary Shortcode Execution | CVE 2024-12415 | Plugin Vulnerabilities

Description

The The AI Infographic Maker plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.9.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

infographic-and-list-builder-ilist

Fixed in 5.0.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0aa21fad-4dd0-4ccd-a325-de3532a6ffaf

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

764ae575-867d-49ef-b41e-f1e80481ce76

Timeline

Publicly Published

2025-01-30 (about 1 year ago)

Added

2025-01-30 (about 1 year ago)

Last Updated

2025-01-31 (about 1 year ago)

Other

Published

Title

Published

2025-11-17

Title

Classified Listing – Classified ads & Business Directory Plugin < 5.0.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Listing Description

Published

2020-04-27

Title

Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE

Published

2018-01-04

Title

buddypress-xprofile-custom-fields-type 2.6.3 - Authenticated Arbitrary File Deletion

Published

2025-09-03

Title

Easy Timer < 4.2.2 - Authenticated (Editor+) Remote Code Execution via Shortcode

Published

2017-09-16

Title

VaultPress 1.89-1.9 - Unauthenticated RCE