CVE-2024-11977: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction kk Star Ratings – Rate Post & Collect User Feedbacks
The The kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.4.10. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. Note: This vulnerability was only partially patched in version 5.4.10.1, and fully patched in 5.4.10.2
AI Analysis
Technical Summary
CVE-2024-11977 is a code injection vulnerability in the kk Star Ratings – Rate Post & Collect User Feedbacks WordPress plugin. The issue arises because the plugin improperly validates input before executing do_shortcode, enabling unauthenticated attackers to execute arbitrary shortcodes. Versions up to 5.4.10 are affected. A partial fix was introduced in 5.4.10.1, and a complete fix was implemented in 5.4.10.2. This vulnerability has a CVSS 3.1 score of 7.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to code execution within the WordPress environment. This can compromise confidentiality, integrity, and availability of the affected system. The vulnerability affects all versions up to 5.4.10, with partial mitigation in 5.4.10.1 and full mitigation in 5.4.10.2. No known exploits in the wild have been reported yet.
Mitigation Recommendations
Upgrade the kk Star Ratings plugin to version 5.4.10.2 or later, where the vulnerability is fully patched. Versions 5.4.10.1 only partially address the issue and should not be considered fully secure. If immediate upgrade is not possible, restrict access to the plugin's functionality to trusted users as a temporary measure. Patch status is confirmed by the vendor's versioning notes; no other official advisory was provided.
CVE-2024-11977: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction kk Star Ratings – Rate Post & Collect User Feedbacks
Description
The The kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.4.10. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. Note: This vulnerability was only partially patched in version 5.4.10.1, and fully patched in 5.4.10.2
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-11977 is a code injection vulnerability in the kk Star Ratings – Rate Post & Collect User Feedbacks WordPress plugin. The issue arises because the plugin improperly validates input before executing do_shortcode, enabling unauthenticated attackers to execute arbitrary shortcodes. Versions up to 5.4.10 are affected. A partial fix was introduced in 5.4.10.1, and a complete fix was implemented in 5.4.10.2. This vulnerability has a CVSS 3.1 score of 7.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to code execution within the WordPress environment. This can compromise confidentiality, integrity, and availability of the affected system. The vulnerability affects all versions up to 5.4.10, with partial mitigation in 5.4.10.1 and full mitigation in 5.4.10.2. No known exploits in the wild have been reported yet.
Mitigation Recommendations
Upgrade the kk Star Ratings plugin to version 5.4.10.2 or later, where the vulnerability is fully patched. Versions 5.4.10.1 only partially address the issue and should not be considered fully secure. If immediate upgrade is not possible, restrict access to the plugin's functionality to trusted users as a temporary measure. Patch status is confirmed by the vendor's versioning notes; no other official advisory was provided.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-28T23:47:43.608Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e29b7ef31ef0b597008
Added to database: 2/25/2026, 9:48:25 PM
Last enriched: 4/9/2026, 12:33:18 PM
Last updated: 4/12/2026, 8:31:47 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.