CVE-2024-10958
📋 TL;DR
The WP Photo Album Plus WordPress plugin contains an arbitrary shortcode execution vulnerability that allows unauthenticated attackers to execute arbitrary shortcodes via an AJAX endpoint. This affects all WordPress sites running WP Photo Album Plus version 8.8.08.007 or earlier. Attackers can leverage this to execute malicious code, potentially compromising the entire WordPress installation.
💻 Affected Systems
- WP Photo Album Plus WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through remote code execution, data theft, defacement, or malware injection via malicious shortcodes that execute arbitrary PHP code.
Likely Case
Unauthenticated attackers execute arbitrary shortcodes to inject malicious content, redirect users, or perform limited code execution depending on available shortcodes.
If Mitigated
Attackers can still trigger shortcode execution but impact is limited by WordPress security controls and shortcode sandboxing.
🎯 Exploit Status
Exploitation requires only HTTP POST requests to the vulnerable AJAX endpoint with crafted shortcode parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.8.08.008 or later
Vendor Advisory: https://wordpress.org/plugins/wp-photo-album-plus/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Photo Album Plus. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 8.8.08.008+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
linuxBlock access to the getshortcodedrenderedfenodelay AJAX action via .htaccess or web server configuration
# Add to .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=getshortcodedrenderedfenodelay
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
Disable plugin
allTemporarily deactivate WP Photo Album Plus plugin until patched
wp plugin deactivate wp-photo-album-plus
🧯 If You Can't Patch
- Disable the WP Photo Album Plus plugin immediately
- Implement web application firewall rules to block requests containing 'getshortcodedrenderedfenodelay' in AJAX actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP Photo Album Plus version. If version is 8.8.08.007 or lower, you are vulnerable.Check Version:
wp plugin list --name=wp-photo-album-plus --field=versionVerify Fix Applied:
Verify plugin version is 8.8.08.008 or higher in WordPress admin panel. Test by attempting to access /wp-admin/admin-ajax.php?action=getshortcodedrenderedfenodelay with monitoring to confirm no shortcode execution occurs.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php containing 'action=getshortcodedrenderedfenodelay'
- Unusual shortcode execution in WordPress debug logs
- AJAX requests from unauthenticated users to admin-ajax.php
Network Indicators:
- POST requests to admin-ajax.php with shortcode parameters
- Unusual traffic patterns to WordPress AJAX endpoints from external IPs
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=getshortcodedrenderedfenodelay*"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/8.8.08.004/wppa-ajax.php#L1238
- https://plugins.trac.wordpress.org/changeset/3184852/
- https://wordpress.org/plugins/wp-photo-album-plus/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/53bb0871-343a-4299-9902-682c422152d1?source=cve
