CVE-2024-9837

Vulnerability

Overview The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress, all versions up to and including 2.0.1, contains a vulnerability that permits unauthenticated attackers to execute arbitrary WordPress shortcodes. The plugin fails to validate a value passed into the do_shortcode function during execution of a specific action, leading to arbitrary shortcode execution [1].

Exploitation

Method An attacker can exploit this by sending a crafted request to the vulnerable action without requiring any authentication. The lack of input validation makes it trivial to inject arbitrary shortcodes, which can then invoke sensitive WordPress functions or execute arbitrary code. The plugin's own documentation lists numerous shortcodes (e.g., [cy], [today], [offset]) that are intended for dynamic date display, but the vulnerability allows any shortcode registered in WordPress to be run [1].

Potential

Impact Successful exploitation allows an attacker to execute arbitrary shortcodes, which in a standard WordPress installation can include the [file] shortcode or others that execute system commands, read files, or modify database entries. This can lead to Remote Code Execution (RCE), full site compromise, and data exfiltration. The CVSS v3 base score of 7.3 (High) reflects the low complexity and lack of authentication requirements [1].

Mitigation

At the time of publication, there is no patched version of the plugin. Users are advised to disable the plugin until the vendor releases an update that corrects the input validation flaw. The vulnerability is publicly documented on the Wordfence Intelligence platform and may be added to the CISA Known Exploited Vulnerabilities (KEV) catalog if active exploitation is observed [1].