CVE-2024-12420
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the WPMobile.App plugin. Attackers can potentially run malicious code, access sensitive data, or modify site content. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WPMobile.App — Android and iOS Mobile Application plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution if vulnerable shortcodes exist, leading to data theft, defacement, or malware installation.
Likely Case
Unauthorized content modification, privilege escalation, or sensitive information disclosure through existing shortcode functionality.
If Mitigated
Limited impact if no dangerous shortcodes are available, but still represents a security bypass that could be chained with other vulnerabilities.
🎯 Exploit Status
Attack requires no authentication and leverages WordPress's built-in shortcode functionality. Exploitation depends on available shortcodes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.53 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207040%40wpappninja&new=3207040%40wpappninja&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WPMobile.App — Android and iOS Mobile Application'. 4. Click 'Update Now' if available. 5. Alternatively, download version 11.53+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WPMobile.App plugin until patched
wp plugin deactivate wpappninja
Restrict access via WAF
allBlock requests to vulnerable endpoints using web application firewall
🧯 If You Can't Patch
- Disable the WPMobile.App plugin immediately
- Implement strict input validation and output encoding for all user-controlled data
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 11.52 or lower, you are vulnerable.Check Version:
wp plugin get wpappninja --field=versionVerify Fix Applied:
Verify plugin version is 11.53 or higher after update. Test that shortcode execution requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode execution patterns
- Unauthenticated requests to plugin endpoints
- Unexpected content modifications
Network Indicators:
- HTTP requests to wpappninja endpoints with shortcode parameters from unauthenticated sources
SIEM Query:
source="wordpress" AND (uri_path="*wpappninja*" OR plugin="wpappninja") AND status="200" AND user="-"