CVE-2024-3105 – Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution

https://notcve.org/view.php?id=CVE-2024-3105

The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. El complemento Woody code snippets – Insert Header Footer Code, AdSense Ads para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 2.5.0 incluida a través del código corto 'insert_php'. Esto se debe a que el complemento no restringe el uso de la funcionalidad a usuarios autorizados de alto nivel. • https://github.com/hunThubSpace/CVE-2024-3105-PoC https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166 https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3102522%40insert-php&new=3102522%40insert-php&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •