CVE-2024-13499: CWE-94 Improper Control of Generation of Code ('Code Injection') in rubengc GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
CVE-2024-13499 is a high-severity vulnerability in the GamiPress WordPress plugin that allows unauthenticated attackers to execute arbitrary shortcodes via the gamipress_do_shortcode() function. This code injection flaw arises from improper validation of input before executing do_shortcode, enabling attackers to run malicious code. The vulnerability affects all versions up to and including 7. 2. 1. Exploitation requires no authentication or user interaction and can impact confidentiality, integrity, and availability of affected WordPress sites. While no known exploits are currently in the wild, the ease of exploitation and broad use of the plugin pose significant risks. Organizations using GamiPress should prioritize patching or applying mitigations to prevent potential compromise. Countries with large WordPress user bases and significant web presence are most at risk. The CVSS score is 7.
AI Analysis
Technical Summary
CVE-2024-13499 is a code injection vulnerability classified under CWE-94 found in the GamiPress – Gamification plugin for WordPress, developed by rubengc. The flaw exists in the gamipress_do_shortcode() function, which improperly validates input before passing it to WordPress's do_shortcode function. This improper control allows unauthenticated attackers to execute arbitrary shortcodes, effectively enabling remote code execution within the context of the WordPress site. Since shortcodes can trigger PHP code execution or other plugin functionalities, this vulnerability can be leveraged to escalate privileges, inject malicious content, or disrupt site operations. The vulnerability affects all versions up to and including 7.2.1, with no patch currently listed. The CVSS v3.1 score is 7.3 (High), with attack vector Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). No known exploits have been reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a critical concern for WordPress sites using this plugin.
Potential Impact
The impact of CVE-2024-13499 is significant for organizations using the GamiPress plugin on WordPress sites. Successful exploitation can lead to unauthorized execution of arbitrary shortcodes, which may allow attackers to execute malicious PHP code, manipulate site content, steal sensitive data, or disrupt site availability. This can result in data breaches, defacement, loss of user trust, and potential lateral movement within the hosting environment. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any attacker scanning for vulnerable sites. Organizations relying on GamiPress for gamification features in their WordPress environments face risks of operational disruption and reputational damage. The broad use of WordPress globally amplifies the potential scale of impact.
Mitigation Recommendations
To mitigate CVE-2024-13499, organizations should immediately update the GamiPress plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling or removing the GamiPress plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode execution attempts can provide temporary protection. Restricting access to the WordPress admin and plugin endpoints via IP whitelisting or VPN can reduce exposure. Regularly auditing installed plugins for vulnerabilities and minimizing the use of unnecessary plugins reduces risk. Monitoring logs for unusual shortcode usage or unexpected site behavior can help detect exploitation attempts early. Finally, maintaining regular backups ensures recovery capability in case of compromise.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, India, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-13499: CWE-94 Improper Control of Generation of Code ('Code Injection') in rubengc GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Description
CVE-2024-13499 is a high-severity vulnerability in the GamiPress WordPress plugin that allows unauthenticated attackers to execute arbitrary shortcodes via the gamipress_do_shortcode() function. This code injection flaw arises from improper validation of input before executing do_shortcode, enabling attackers to run malicious code. The vulnerability affects all versions up to and including 7. 2. 1. Exploitation requires no authentication or user interaction and can impact confidentiality, integrity, and availability of affected WordPress sites. While no known exploits are currently in the wild, the ease of exploitation and broad use of the plugin pose significant risks. Organizations using GamiPress should prioritize patching or applying mitigations to prevent potential compromise. Countries with large WordPress user bases and significant web presence are most at risk. The CVSS score is 7.
AI-Powered Analysis
Technical Analysis
CVE-2024-13499 is a code injection vulnerability classified under CWE-94 found in the GamiPress – Gamification plugin for WordPress, developed by rubengc. The flaw exists in the gamipress_do_shortcode() function, which improperly validates input before passing it to WordPress's do_shortcode function. This improper control allows unauthenticated attackers to execute arbitrary shortcodes, effectively enabling remote code execution within the context of the WordPress site. Since shortcodes can trigger PHP code execution or other plugin functionalities, this vulnerability can be leveraged to escalate privileges, inject malicious content, or disrupt site operations. The vulnerability affects all versions up to and including 7.2.1, with no patch currently listed. The CVSS v3.1 score is 7.3 (High), with attack vector Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). No known exploits have been reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a critical concern for WordPress sites using this plugin.
Potential Impact
The impact of CVE-2024-13499 is significant for organizations using the GamiPress plugin on WordPress sites. Successful exploitation can lead to unauthorized execution of arbitrary shortcodes, which may allow attackers to execute malicious PHP code, manipulate site content, steal sensitive data, or disrupt site availability. This can result in data breaches, defacement, loss of user trust, and potential lateral movement within the hosting environment. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any attacker scanning for vulnerable sites. Organizations relying on GamiPress for gamification features in their WordPress environments face risks of operational disruption and reputational damage. The broad use of WordPress globally amplifies the potential scale of impact.
Mitigation Recommendations
To mitigate CVE-2024-13499, organizations should immediately update the GamiPress plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling or removing the GamiPress plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode execution attempts can provide temporary protection. Restricting access to the WordPress admin and plugin endpoints via IP whitelisting or VPN can reduce exposure. Regularly auditing installed plugins for vulnerabilities and minimizing the use of unnecessary plugins reduces risk. Monitoring logs for unusual shortcode usage or unexpected site behavior can help detect exploitation attempts early. Finally, maintaining regular backups ensures recovery capability in case of compromise.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-16T22:14:46.749Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e5bb7ef31ef0b59ed83
Added to database: 2/25/2026, 9:49:15 PM
Last enriched: 2/25/2026, 11:57:18 PM
Last updated: 2/26/2026, 6:26:23 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.