CVE-2024-11977
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the kk Star Ratings plugin. Attackers can potentially inject malicious code or access restricted functionality. All WordPress sites using kk Star Ratings plugin versions up to 5.4.10 are affected.
💻 Affected Systems
- kk Star Ratings – Rate Post & Collect User Feedbacks WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, or malware installation via malicious shortcodes.
Likely Case
Unauthorized content injection, privilege escalation, or data exfiltration through WordPress shortcode functionality.
If Mitigated
Limited impact if shortcode execution is restricted by WordPress security plugins or hardened configurations.
🎯 Exploit Status
Exploitation requires minimal technical skill as it involves simple HTTP requests to execute shortcodes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.11
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3158478/kk-star-ratings/tags/5.4.11/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'kk Star Ratings' and click 'Update Now'. 4. Verify version is 5.4.11 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the kk Star Ratings plugin until patched
wp plugin deactivate kk-star-ratings
Restrict AJAX endpoints
allBlock access to wp-admin/admin-ajax.php for unauthenticated users via web application firewall
🧯 If You Can't Patch
- Implement web application firewall rules to block suspicious shortcode execution attempts
- Disable the kk Star Ratings plugin completely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → kk Star Ratings → Version number. If version is 5.4.10 or lower, you are vulnerable.Check Version:
wp plugin get kk-star-ratings --field=versionVerify Fix Applied:
After updating, confirm plugin version is 5.4.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action=kk_star_ratings' parameter
- Shortcode execution errors in WordPress debug logs
Network Indicators:
- HTTP requests containing shortcode syntax in POST parameters to admin-ajax.php
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "kk_star_ratings" AND ("shortcode" OR "[\" OR "]")