{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-10952", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-11-06T21:06:11.373Z", "datePublished": "2024-12-04T02:40:25.972Z", "dateUpdated": "2026-04-08T17:05:48.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:48.476Z"}, "affected": [{"vendor": "wpkube", "product": "Authors List", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX action in all versions up to, and including, 2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "Authors List <= 2.0.4 - Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b3cfe0a-dcfb-40f3-ba43-4e838c113010?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.4/backend/includes/class-authors-list-item.php#L843"}, {"url": "https://wordpress.org/plugins/authors-list/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3205955/authors-list/trunk/backend/includes/class-authors-list-item.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Arkadiusz Hydzik"}], "timeline": [{"time": "2024-12-03T14:19:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "wpkube", "product": "authors_list", "cpes": ["cpe:2.3:a:wpkube:authors_list:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-04T14:41:33.371532Z", "id": "CVE-2024-10952", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T14:43:05.531Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10952", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-11-06T21:06:11.373Z", "datePublished": "2024-12-04T02:40:25.972Z", "dateUpdated": "2024-12-04T14:43:05.531Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-12-04T02:40:25.972Z"}, "affected": [{"vendor": "wpkube", "product": "Authors List", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX action in all versions up to, and including, 2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "Authors List <= 2.0.4 - Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b3cfe0a-dcfb-40f3-ba43-4e838c113010?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.4/backend/includes/class-authors-list-item.php#L843"}, {"url": "https://wordpress.org/plugins/authors-list/#developers"}, {"url": "https://www.wpkube.com/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Arkadiusz Hydzik"}], "timeline": [{"time": "2024-12-03T14:19:13.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-04T14:41:33.371532Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wpkube:authors_list:*:*:*:*:*:wordpress:*:*"], "vendor": "wpkube", "product": "authors_list", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T14:42:47.011Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX action in all versions up to, and including, 2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}, {"lang": "es", "value": "El complemento The Authors List para WordPress es vulnerable a la ejecuci\u00f3n de c\u00f3digos cortos arbitrarios mediante la acci\u00f3n AJAX update_authors_list_ajax en todas las versiones hasta la 2.0.4 incluida. Esto se debe a que el software permite a los usuarios ejecutar una acci\u00f3n que no valida correctamente un valor antes de ejecutar do_shortcode. Esto hace posible que atacantes no autenticados ejecuten c\u00f3digos cortos arbitrarios."}], "id": "CVE-2024-10952", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-12-04T03:15:04.593", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.4/backend/includes/class-authors-list-item.php#L843"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3205955/authors-list/trunk/backend/includes/class-authors-list-item.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/authors-list/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b3cfe0a-dcfb-40f3-ba43-4e838c113010?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{}