CVE-2024-9772
published 2024-10-26CVE-2024-9772: The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including…
PriorityP356high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
1.41%
69.3th percentile
The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| uiux | uix_shortcodes | <= 1.9.9 | — |
| uiuxlab | uix_shortcodes | <= 1.9.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'uixscform_ajax_shortcodepreview' — this is the vulnerable AJAX action that allows arbitrary shortcode execution without authentication. ↗
- →Check for the presence of the plugin by probing /wp-content/plugins/uix-shortcodes/readme.txt and extracting the 'Stable tag' version; versions <= 1.9.7 (per nuclei template) / <= 1.9.9 (per NVD) are vulnerable. ↗
- →The exploit requires no authentication (PR:N, UI:N per CVSS). Any unauthenticated POST to admin-ajax.php with this action should be treated as a potential exploitation attempt. ↗
- →The vulnerable code path is in frontpage-init.php at line 9 of the plugin's trunk; review or monitor that file for tampering. ↗
- →Content-Type of the exploit response is text/html with HTTP 200; correlate unauthenticated admin-ajax.php POSTs returning text/html containing shortcode output as a positive exploitation signal. ↗
- ·The Nuclei template targets versions <= 1.9.7, but NVD states all versions up to and including 1.9.9 are vulnerable. Detection rules should cover the broader range. ↗
- ·The Nuclei template uses a two-step flow: first verify plugin presence via readme.txt, then send the exploit POST. Detection logic should mirror this two-request pattern to reduce false positives. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution
nuclei·CVSS 7.3
CVE-2024-9772 [HIGH] WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution
WordPress UIX Shortcodes = 1.9.8).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9772
- https://downloads.wordpress.org/plugin/uix-shortcodes.1.9.7.zip
- https://plugins.trac.wordpress.org/browser/uix-shortcodes/trunk/shortcodes/templates/default/frontpage-init.php#L9
- https://wordpress.org/plugins/uix-shortcodes/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3000758d-68e0-46a6-aef0-e2407a828168?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: CVE-2024-9772
cwe-id: CWE-94
epss-score: 0.09352
epss-percentile: 0.92777
cpe: cpe:2.3:a:uiux:uix_shortcodes:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: uiux
product: uix_shortcodes
framework: wordpress
publicwww-query: "/wp-con
No writeups or analysis indexed.
2024-10-26
Published