The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Wed, 02 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Blogcoding
Blogcoding special Text Boxes
CPEs cpe:2.3:a:blogcoding:special_text_boxes:*:*:*:*:*:wordpress:*:*
Vendors & Products Blogcoding
Blogcoding special Text Boxes

Wed, 25 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Minimus
Minimus special Text Boxes
CPEs cpe:2.3:a:minimus:special_text_boxes:*:*:*:*:*:*:*:*
Vendors & Products Minimus
Minimus special Text Boxes
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 25 Sep 2024 02:30:00 +0000

Type Values Removed Values Added
Description The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Special Text Boxes <= 6.2.2 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-25T02:05:00.954Z

Updated: 2024-09-25T14:10:55.014Z

Reserved: 2024-09-05T15:54:41.396Z

Link: CVE-2024-8481

cve-icon Vulnrichment

Updated: 2024-09-25T14:07:47.804Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-25T03:15:04.593

Modified: 2024-10-02T17:59:52.013

Link: CVE-2024-8481

cve-icon Redhat

No data.