Vulnerability Details CVE-2024-4037
The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 71.5%
CVSS Severity
CVSS v3 Score 6.5
References
- https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/trunk/wppa-ajax.php#L1138
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078746%40wp-photo-album-plus&new=3078746%40wp-photo-album-plus&sfp_email=&sfph_mail=#file3
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3079831%40wp-photo-album-plus&new=3079831%40wp-photo-album-plus&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3d6b95ee-0a0d-49f7-83b1-4716eec3b863?source=cve
- https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/trunk/wppa-ajax.php#L1138
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078746%40wp-photo-album-plus&new=3078746%40wp-photo-album-plus&sfp_email=&sfph_mail=#file3
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3079831%40wp-photo-album-plus&new=3079831%40wp-photo-album-plus&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3d6b95ee-0a0d-49f7-83b1-4716eec3b863?source=cve
Products affected by CVE-2024-4037
-
cpe:2.3:a:wppa:wp_photo_album_plus:-
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.00.024
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.01.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.02.010
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.03.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.04.007
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.05.004
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.06.004
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.07.018
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.08.008
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.09.003
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.0.10.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.00.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.01.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.02
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.02.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.03
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.03.003
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.04
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.04.004
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.05
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.05.003
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.06
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.06.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.07
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.07.004
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.08
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.08.004
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.09
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.09.008
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.10
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.1.10.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.01
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.01.008
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.02
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.02.010
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.03
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.03.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.04
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.04.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.05
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.05.008
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.06
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.06.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.07
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.07.003
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.08
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.08.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.2.09.103
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.01
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.01.010
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.02
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.02.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.03
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.03.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.04
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.04.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.05
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.05.006
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.06
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.06.003
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.07
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.3.07.004
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.00
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.00.001
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.01
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.01.008
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.02
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.02.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.03.012
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.4.04.003
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.5.01
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.5.01.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.5.02
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.5.02.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.5.03.012
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.6.01
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.6.01.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.6.03.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.6.04.009
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.6.05.005
-
cpe:2.3:a:wppa:wp_photo_album_plus:8.7.00.003