CVE-2024-12415

Vulnerability

The AI Infographic Maker plugin (infographic-and-list-builder-ilist) for WordPress versions up to and including 4.9.0 contains a vulnerability that allows arbitrary shortcode execution. The plugin fails to properly validate a value before passing it to the do_shortcode function, enabling unauthenticated attackers to inject and execute arbitrary WordPress shortcodes.

Exploitation

An unauthenticated attacker can exploit this by sending a crafted request to the vulnerable action. No authentication or special privileges are required. The attacker can execute any shortcode available on the WordPress site, including those that may read files, exfiltrate data, or perform other actions.

Impact

Successful exploitation allows an attacker to execute arbitrary shortcodes, potentially leading to information disclosure, content manipulation, or other unintended actions depending on the shortcodes present. The attacker does not achieve direct remote code execution but can leverage shortcodes with side effects.

Mitigation

The vulnerability is fixed in version 5.1.7 of the plugin, as indicated by the WordPress plugin repository [1]. Users should update to the latest version immediately. No workarounds are mentioned in the available references.