CVE-2024-8623
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This vulnerability stems from the plugin's failure to properly validate a value before running do_shortcode, allowing unauthenticated attackers to execute arbitrary shortcodes.
Impact
This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, which can lead to code injection. The potential impacts include: 1. Unauthorized code execution: Attackers can run malicious code on the affected WordPress site. 2. Data manipulation: The vulnerability could be exploited to modify or delete content on the website. 3. Privilege escalation: Depending on the shortcodes available, attackers might be able to elevate their privileges on the site. 4. Website defacement: Malicious actors could potentially alter the appearance or content of the website. 5. Further compromise: This vulnerability could serve as an entry point for more severe attacks on the WordPress installation or the hosting server.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been fixed in version 1.3.3.4 of the MDTF – Meta Data and Taxonomies Filter plugin for WordPress. Users should update to this version or later to mitigate the risk.
Mitigation
1. Update the MDTF – Meta Data and Taxonomies Filter plugin to version 1.3.3.4 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the plugin until the update can be applied. 3. Implement strong input validation and sanitization for all user-supplied data, especially in areas where shortcodes are processed. 4. Regularly audit and update all WordPress plugins, themes, and core installations. 5. Implement the principle of least privilege for WordPress user roles and permissions. 6. Use a Web Application Firewall (WAF) to help filter out malicious requests. 7. Monitor WordPress sites for any unusual activity or unauthorized changes.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Timeline
Feedly found the first article mentioning CVE-2024-8623. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-8623
A CVSS base score of 7.3 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 21.3%)
Detection for the vulnerability has been added to Qualys (152233)