CVE-2024-11816
published 2025-01-08CVE-2024-11816: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability…
PriorityP357high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.74%
50.0th percentile
The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the 'wpext_handle_snippet_update' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server providing an admin has created at least one code snippet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpextended | the_ultimate_wordpress_toolkit_wp_extended | <= 3.0.11 | — |
| wpextended | ultimate_wordpress_toolkit | < 3.0.12 | 3.0.12 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_snippets/wpext_snippets.php#L705https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3213331%40wpextended&new=3213331%40wpextended&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ce53e5-8666-4227-83d3-58f35db0ce68?source=cve
2025-01-08
Published