CVE-2024-10952: CWE-94 Improper Control of Generation of Code ('Code Injection') in wpkube Authors List
CVE-2024-10952 is a high-severity vulnerability in the WordPress Authors List plugin by wpkube, affecting all versions up to 2. 0. 4. It allows unauthenticated attackers to execute arbitrary shortcodes via the update_authors_list_ajax AJAX action due to improper validation before calling do_shortcode. This code injection flaw (CWE-94) can lead to partial compromise of confidentiality, integrity, and availability of affected WordPress sites. Exploitation requires no authentication or user interaction and can be performed remotely over the network. Although no known exploits are currently reported in the wild, the vulnerability's ease of exploitation and broad impact make it a significant risk. Organizations running this plugin should prioritize patching or applying mitigations to prevent potential attacks. Countries with large WordPress user bases and significant web presence are most at risk. Defenders should monitor AJAX endpoints, restrict access, and consider disabling or replacing the plugin until a patch is available.
AI Analysis
Technical Summary
CVE-2024-10952 is a critical vulnerability identified in the Authors List plugin for WordPress, developed by wpkube. The flaw resides in the update_authors_list_ajax AJAX action, which improperly validates input before executing the WordPress do_shortcode function. This improper control of code generation (CWE-94) allows unauthenticated remote attackers to inject and execute arbitrary shortcodes on vulnerable WordPress sites. Since shortcodes can execute PHP code or trigger other plugin functionalities, this can lead to unauthorized code execution, data leakage, or site defacement. The vulnerability affects all versions up to and including 2.0.4, with no authentication or user interaction required, making it highly exploitable over the network. The CVSS v3.1 base score is 7.3, reflecting high impact on confidentiality, integrity, and availability. No official patches or exploit code are publicly available yet, but the risk remains significant due to the plugin's widespread use and the critical nature of shortcode execution in WordPress environments.
Potential Impact
The exploitation of CVE-2024-10952 can lead to unauthorized code execution on affected WordPress sites, potentially allowing attackers to manipulate site content, steal sensitive data, or disrupt service availability. Since the vulnerability requires no authentication, attackers can remotely compromise sites without prior access. This can result in website defacement, injection of malicious content (such as malware or phishing pages), or use of the compromised site as a foothold for further network attacks. The impact extends to the confidentiality of user data, integrity of site content, and availability of the web service. Organizations relying on the Authors List plugin for content management or author attribution face increased risk of reputational damage, data breaches, and operational disruption if exploited.
Mitigation Recommendations
1. Immediately audit WordPress sites for the presence of the Authors List plugin and identify versions up to 2.0.4. 2. Disable or uninstall the Authors List plugin until an official patch is released. 3. If disabling is not feasible, restrict access to the update_authors_list_ajax AJAX endpoint via web application firewall (WAF) rules or server-level access controls to trusted IPs only. 4. Monitor web server and WordPress logs for suspicious AJAX requests or unusual shortcode execution patterns. 5. Employ security plugins that can detect and block unauthorized shortcode execution. 6. Keep WordPress core and all plugins updated regularly to minimize exposure to known vulnerabilities. 7. Implement least privilege principles for WordPress user roles to limit potential damage from compromised accounts. 8. Prepare incident response plans to quickly address any signs of exploitation. 9. Follow wpkube and WordPress security advisories for timely patch releases and updates.
Affected Countries
United States, India, United Kingdom, Germany, Canada, Australia, Brazil, France, Japan, Netherlands, Italy, Spain
CVE-2024-10952: CWE-94 Improper Control of Generation of Code ('Code Injection') in wpkube Authors List
Description
CVE-2024-10952 is a high-severity vulnerability in the WordPress Authors List plugin by wpkube, affecting all versions up to 2. 0. 4. It allows unauthenticated attackers to execute arbitrary shortcodes via the update_authors_list_ajax AJAX action due to improper validation before calling do_shortcode. This code injection flaw (CWE-94) can lead to partial compromise of confidentiality, integrity, and availability of affected WordPress sites. Exploitation requires no authentication or user interaction and can be performed remotely over the network. Although no known exploits are currently reported in the wild, the vulnerability's ease of exploitation and broad impact make it a significant risk. Organizations running this plugin should prioritize patching or applying mitigations to prevent potential attacks. Countries with large WordPress user bases and significant web presence are most at risk. Defenders should monitor AJAX endpoints, restrict access, and consider disabling or replacing the plugin until a patch is available.
AI-Powered Analysis
Technical Analysis
CVE-2024-10952 is a critical vulnerability identified in the Authors List plugin for WordPress, developed by wpkube. The flaw resides in the update_authors_list_ajax AJAX action, which improperly validates input before executing the WordPress do_shortcode function. This improper control of code generation (CWE-94) allows unauthenticated remote attackers to inject and execute arbitrary shortcodes on vulnerable WordPress sites. Since shortcodes can execute PHP code or trigger other plugin functionalities, this can lead to unauthorized code execution, data leakage, or site defacement. The vulnerability affects all versions up to and including 2.0.4, with no authentication or user interaction required, making it highly exploitable over the network. The CVSS v3.1 base score is 7.3, reflecting high impact on confidentiality, integrity, and availability. No official patches or exploit code are publicly available yet, but the risk remains significant due to the plugin's widespread use and the critical nature of shortcode execution in WordPress environments.
Potential Impact
The exploitation of CVE-2024-10952 can lead to unauthorized code execution on affected WordPress sites, potentially allowing attackers to manipulate site content, steal sensitive data, or disrupt service availability. Since the vulnerability requires no authentication, attackers can remotely compromise sites without prior access. This can result in website defacement, injection of malicious content (such as malware or phishing pages), or use of the compromised site as a foothold for further network attacks. The impact extends to the confidentiality of user data, integrity of site content, and availability of the web service. Organizations relying on the Authors List plugin for content management or author attribution face increased risk of reputational damage, data breaches, and operational disruption if exploited.
Mitigation Recommendations
1. Immediately audit WordPress sites for the presence of the Authors List plugin and identify versions up to 2.0.4. 2. Disable or uninstall the Authors List plugin until an official patch is released. 3. If disabling is not feasible, restrict access to the update_authors_list_ajax AJAX endpoint via web application firewall (WAF) rules or server-level access controls to trusted IPs only. 4. Monitor web server and WordPress logs for suspicious AJAX requests or unusual shortcode execution patterns. 5. Employ security plugins that can detect and block unauthorized shortcode execution. 6. Keep WordPress core and all plugins updated regularly to minimize exposure to known vulnerabilities. 7. Implement least privilege principles for WordPress user roles to limit potential damage from compromised accounts. 8. Prepare incident response plans to quickly address any signs of exploitation. 9. Follow wpkube and WordPress security advisories for timely patch releases and updates.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-06T21:06:11.373Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e03b7ef31ef0b59392e
Added to database: 2/25/2026, 9:47:47 PM
Last enriched: 2/26/2026, 8:25:46 AM
Last updated: 2/26/2026, 9:12:20 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
UnknownCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
UnknownCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
UnknownCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
UnknownCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
UnknownActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.