CVE-2024-11733
Published: 03 January 2025
Summary
CVE-2024-11733 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-11733 is an arbitrary shortcode execution vulnerability (CWE-94) in the WordPress Popular Posts plugin for WordPress, affecting all versions up to and including 7.1.0. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling unauthenticated attackers to run arbitrary shortcodes. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By targeting the insufficiently validated input, they can execute arbitrary shortcodes, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as data disclosure, modification, or denial of service within the affected WordPress site.
Advisories and mitigation details are provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/c38ac8d6-c6de-4be7-bf7b-198e085a0ad2?source=cve. The vulnerable code is visible in the plugin source at https://plugins.trac.wordpress.org/browser/wordpress-popular-posts/tags/7.1.0/src/Rest/ViewLoggerEndpoint.php#L70, where the lack of validation occurs prior to do_shortcode execution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33905
Vulnerability details
The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a…
more
value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated arbitrary shortcode execution flaw in public-facing WordPress plugin (CWE-94).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of information inputs prior to processing, addressing the core issue of insufficient validation before invoking do_shortcode.
Requires identification, reporting, and correction of system flaws like this plugin vulnerability through patching to newer versions.
Enforces least functionality by restricting unnecessary plugins or endpoints, mitigating exposure to vulnerable components like WordPress Popular Posts.