CVE-2024-10633
Published: 26 January 2025
Summary
CVE-2024-10633 is a high-severity Eval Injection (CWE-95) vulnerability in Ays Pro (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of inputs before processing, addressing the core flaw of insufficient validation prior to do_shortcode execution.
Mandates timely remediation of flaws through patching, directly mitigating exploitation by updating vulnerable Quiz Maker plugin versions.
Enables vulnerability scanning to identify and prioritize the specific shortcode execution flaw in deployed plugins.
NVD Description
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is…
more
due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Deeper analysisAI
CVE-2024-10633 is an arbitrary shortcode execution vulnerability in the Quiz Maker Business, Developer, and Agency plugins for WordPress. It affects all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency. The issue arises because the plugins allow execution of an action that fails to properly validate a value before calling do_shortcode, enabling unauthenticated attackers to run arbitrary shortcodes. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-95.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. By targeting the insufficiently validated input, they can execute arbitrary shortcodes on affected WordPress sites, leading to low impacts on confidentiality, integrity, and availability as per the CVSS metrics.
Mitigation details are available in advisories from Wordfence and the plugin developer's changelog and product page at ays-pro.com, which reference updates addressing the shortcode validation flaw. Security practitioners should urge site owners to update the plugins beyond the listed vulnerable versions.
Details
- CWE(s)