CVE-2024-10633
Published: 26 January 2025
Summary
CVE-2024-10633 is a high-severity Eval Injection (CWE-95) vulnerability in Ays Pro (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-10633 is an arbitrary shortcode execution vulnerability in the Quiz Maker Business, Developer, and Agency plugins for WordPress. It affects all versions up to and including 8.8.0 for Business, 21.8.0 for Developer, and 31.8.0 for Agency. The issue arises because the plugins allow execution of an action that fails to properly validate a value before calling do_shortcode, enabling unauthenticated attackers to run arbitrary shortcodes. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-95.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. By targeting the insufficiently validated input, they can execute arbitrary shortcodes on affected WordPress sites, leading to low impacts on confidentiality, integrity, and availability as per the CVSS metrics.
Mitigation details are available in advisories from Wordfence and the plugin developer's changelog and product page at ays-pro.com, which reference updates addressing the shortcode validation flaw. Security practitioners should urge site owners to update the plugins beyond the listed vulnerable versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33590
Vulnerability details
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is…
more
due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated arbitrary shortcode execution flaw in public-facing WordPress plugin (CWE-95).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs before processing, addressing the core flaw of insufficient validation prior to do_shortcode execution.
Mandates timely remediation of flaws through patching, directly mitigating exploitation by updating vulnerable Quiz Maker plugin versions.
Enables vulnerability scanning to identify and prioritize the specific shortcode execution flaw in deployed plugins.