WordPress Plugin Vulnerabilities

BuddyPress < 14.3.4 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
buddypress
Fixed in 14.3.4

References

CVE
CVE-2024-11976
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/34c627c1-7838-468e-acb7-eb84ad1b4949

Classification

Type
INJECTION
OWASP top 10
A1: Injection
CVSS
7.3 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
e49e7946-b6e3-4947-971f-20b629479526

Timeline

Publicly Published
2026-01-22 (about 3 months ago)
Added
2026-01-22 (about 3 months ago)
Last Updated
2026-01-22 (about 3 months ago)

Other

Published
Title
Published
2022-06-20
Title
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
Published
2023-02-16
Title
WoodMart < 7.1.2 - Unauthenticated Arbitrary Shortcode Injection
Published
2026-03-27
Title
Pagelayer < 2.0.8 - Unauthenticated Email Header Injection via 'email'
Published
2026-04-21
Title
HTTP Headers <= 1.19.2 - Administrator+ CRLF Injection via Custom Header Values
Published
2023-06-23
Title
Supsystic Popup < 1.10.19 - Prototype Pollution