CVE-2024-10909
📋 TL;DR
The Pojo Forms WordPress plugin allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes via a vulnerable AJAX action. This vulnerability exists because the plugin doesn't properly validate input before passing it to WordPress's do_shortcode function. WordPress sites using Pojo Forms versions 1.4.7 and earlier are affected.
💻 Affected Systems
- Pojo Forms WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary PHP code, upload malicious files, create backdoors, or compromise the entire WordPress installation and underlying server.
Likely Case
Attackers would execute existing WordPress shortcodes to perform unauthorized actions like creating admin users, modifying content, or accessing sensitive data.
If Mitigated
With proper access controls and monitoring, impact would be limited to content manipulation within the attacker's authenticated session scope.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.8
Vendor Advisory: https://wordpress.org/plugins/pojo-forms/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Pojo Forms plugin
4. Click 'Update Now' if update available
5. If no update appears, manually download version 1.4.8+ from WordPress.org
6. Deactivate old version, upload new version, activate
🔧 Temporary Workarounds
Disable Pojo Forms Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate pojo-forms
Restrict User Registration
allDisable new user registration to prevent attacker account creation
In WordPress Settings → General, uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict user role management and review all Subscriber+ accounts
- Add web application firewall rules to block requests to /wp-admin/admin-ajax.php with form_preview_shortcode action
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Pojo Forms version. If version is 1.4.7 or lower, you are vulnerable.Check Version:
wp plugin get pojo-forms --field=versionVerify Fix Applied:
Verify Pojo Forms plugin version is 1.4.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=form_preview_shortcode
- Unusual shortcode execution in WordPress debug logs
- Multiple failed authentication attempts followed by successful Subscriber login
Network Indicators:
- HTTP POST requests containing 'form_preview_shortcode' in body
- Unusual AJAX requests from authenticated sessions
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "form_preview_shortcode"🔗 References
- https://plugins.trac.wordpress.org/browser/pojo-forms/tags/1.4.7/classes/class-pojo-forms-ajax.php#L16
- https://plugins.trac.wordpress.org/changeset/3201936/
- https://wordpress.org/plugins/pojo-forms/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/511ce6f6-aea3-4c37-8312-d6e5ff2fdf6f?source=cve
