1 results (0.004 seconds)

CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0

The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/simple-spoiler/trunk/simple-spoiler.php#L108 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3151179%40simple-spoiler&new=3151179%40simple-spoiler&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/8ffc76d8-b841-4c26-bbc6-1f96664efe36?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •