WordPress Plugin Vulnerabilities

WordPress Popular Posts < 7.2.0 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
wordpress-popular-posts
Fixed in 7.2.0

References

CVE
CVE-2024-11733
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c38ac8d6-c6de-4be7-bf7b-198e085a0ad2

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.3 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
957a0dc2-56e1-4789-bc56-716fab1cbce4

Timeline

Publicly Published
2025-01-03 (about 1 year ago)
Added
2025-01-13 (about 1 year ago)
Last Updated
2025-01-13 (about 1 year ago)

Other

Published
Title
Published
2025-02-20
Title
Head, Footer and Post Injections < 3.3.1 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments
Published
2024-04-24
Title
FOX – Currency Switcher Professional for WooCommerce < 1.4.1.9 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-01-16
Title
Display custom fields in the frontend – Post and User Profile Fields < 1.3.0 - Authenticated (Contributor+) Code Injection
Published
2024-12-12
Title
Simple Link Directory < 8.4.6 - Unauthenticated Arbitrary Shortcode Execution
Published
2014-08-01
Title
MailPoet Newsletters 2.6.6 - Theme File Upload H&ling Remote Code Execution