CVE-2024-8481
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Published: Sep 25, 2024 / Updated: 56d ago
010
CVSS 7.3EPSS 0.05%High
CVE info copied to clipboard
The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Timeline
First Article
Feedly found the first article mentioning CVE-2024-8481. See article
Sep 25, 2024 at 2:37 AM / Vulners.com RSS Feed
CVSS Estimate
Feedly estimated the CVSS score as HIGH
Sep 25, 2024 at 2:37 AM
CVE Assignment
NVD published the first details for CVE-2024-8481
Sep 25, 2024 at 3:15 AM
CVSS
A CVSS base score of 7.3 has been assigned.
Sep 25, 2024 at 3:15 AM / nvd
Detection in Vulnerability Scanners
Detection for the vulnerability has been added to Qualys (152238)
Sep 25, 2024 at 7:53 AM
EPSS
EPSS Score was set to: 0.05% (Percentile: 17.7%)
Sep 25, 2024 at 9:39 AM
Affected Systems
Blogcoding/special_text_boxes
+null more
Attack Patterns
CAPEC-242: Code Injection
+null more
News
Web Application Detections Published in September 2024
In September, Qualys released QIDs targeting vulnerabilities in several widely-used software products, including WordPress, Tiki Wiki CMS, Apache HTTP Server, XWiki, Apache OFBiz, Lunary-ai, GitLab, Adobe ColdFusion, Moodle CMS, Zimbra, JBoss EAP, Kibana, Drupal, Ivanti Endpoint Manager (EPM), Apache Tomcat, Joomla!, Nginx, Open Secure Sockets Layer (OpenSSL). Customers can get more details about the following QIDs in our knowledge base. Customers should review their reports for these detections. If any of the following are reported against their applications scanned, customers should follow the steps mentioned in the solution to ensure their systems are protected against the identified vulnerabilities. QID Title 152148 WordPress WPML Plugin: Remote Code Execution Vulnerability (CVE-2024-6386) 152150 WordPress Bit Form Plugin: SQL Injection Vulnerability (CVE-2024-7702) 152151 WordPress Bit Form Plugin: Arbitrary File Read And Delete Vulnerability (CVE-2024-7777) 152157 WordPress LiquidPoll Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7134) 152158 WordPress GEO my WP Plugin: Local File Inclusion Vulnerability (CVE-2024-6330) 152159 WordPress AI Engine Plugin:
CVE-2024-8481
High Severity Description The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. Read more at https://www.tenable.com/cve/CVE-2024-8481
High - CVE-2024-8481 - The The Special Text Boxes plugin for WordPress...
The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter...
null
- HIGH - CVE-2024-8481 The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2024-8481 - WordPress Special Text Boxes Shortcode Injection Vulnerability
CVE ID : CVE-2024-8481 Published : Sept. 25, 2024, 3:15 a.m. 19 minutes ago Description : The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. Severity:
See 5 more articles and social media posts