WordPress Plugin Vulnerabilities

Authors List < 2.0.5 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
authors-list
Fixed in 2.0.5

References

CVE
CVE-2024-10952
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8b3cfe0a-dcfb-40f3-ba43-4e838c113010

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Arkadiusz Hydzik
Verified
No
WPVDB ID
aa33d358-71d6-4fdf-8da4-20e4d1eff85f

Timeline

Publicly Published
2024-12-03 (about 1 year ago)
Added
2024-12-03 (about 1 year ago)
Last Updated
2024-12-13 (about 1 year ago)

Other

Published
Title
Published
2005-06-29
Title
WordPress <= 1.5.1.2 - XML-RPC Eval Injection
Published
2026-01-18
Title
XStore < 9.6.5 - Unauthenticated Arbitrary Shortcode Execution
Published
2014-08-01
Title
Kernel Theme - functions/upload-h&ler.php File Upload Remote Code Execution
Published
2015-02-26
Title
Import any XML or CSV File to WordPress <= 3.2.3 - RCE
Published
2025-02-03
Title
Uix Shortcodes < 2.0.4 - Unauthenticated Arbitrary Shortcode Execution