CVE-2024-7381

Geo Controller <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site.

*Credits: Lucio Sá

CVSS Scores

Wordfencev3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-08-01 CVE Reserved
2024-09-04 CVE Published
2024-09-06 EPSS Updated
2024-09-24 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (2)

URL	Tag	Source
https://plugins.trac.wordpress.org/browser/cf-geoplugin/tags/8.6.9/inc/classes/Shortcodes.php#L1932
https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed7b13a-eec3-4035-8815-15228fb05af1?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Creativform Search vendor "Creativform"		Geo Controller Search vendor "Creativform" for product "Geo Controller"				<= 8.6.9 Search vendor "Creativform" for product "Geo Controller" and version " <= 8.6.9"		en		Affected