CVE-2024-13895 – The Code Snippets CPT WordPress plugin allows a... (How to Fix)

Q: What is the severity of CVE-2024-13895?

CVE-2024-13895 has a CVSS score of 4.3 (MEDIUM). The Code Snippets CPT WordPress plugin allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes due to improper input validation. This vulnerability affects all versions up to and including 2.1.0, potentially enabling attackers to perform unauthorized actions within WordPress.

📋 TL;DR

The Code Snippets CPT WordPress plugin allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes due to improper input validation. This vulnerability affects all versions up to and including 2.1.0, potentially enabling attackers to perform unauthorized actions within WordPress.

💻 Affected Systems

Products:

WordPress Code Snippets CPT plugin

Versions: All versions up to and including 2.1.0

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Attackers need at least Subscriber-level authenticated access.

📦 What is this software?

Code Snippets Cpt by Jtsternberg

View all CVEs affecting Code Snippets Cpt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute malicious shortcodes to create backdoors, escalate privileges, exfiltrate data, or compromise the entire WordPress site.

🟠

Likely Case

Attackers with subscriber accounts could execute unauthorized shortcodes to modify content, inject ads, redirect users, or perform limited administrative actions.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to content manipulation by authenticated users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.1 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3076155%40code-snippets-cpt&new=3076155%40code-snippets-cpt

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Code Snippets CPT' and click 'Update Now'. 4. Verify version is 2.1.1 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Code Snippets CPT plugin until patched

wp plugin deactivate code-snippets-cpt

Restrict user registration

all

Disable new user registration to prevent attacker account creation

wp option update users_can_register 0

🧯 If You Can't Patch

Remove Subscriber role from all users and assign minimal necessary permissions
Implement web application firewall rules to block suspicious shortcode execution attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Code Snippets CPT → Version. If version is 2.1.0 or lower, system is vulnerable.

Check Version:

wp plugin get code-snippets-cpt --field=version

Verify Fix Applied:

Verify plugin version is 2.1.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual shortcode execution patterns in WordPress debug logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP POST requests to wp-admin/admin-ajax.php with suspicious shortcode parameters

SIEM Query:

source="wordpress.log" AND "do_shortcode" AND ("action=code_snippets_cpt" OR "code-snippets-cpt")

📊 Metadata

CVE ID: CVE-2024-13895

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-94

EPSS Score: 0.18% exploit probability (39.7th percentile)

Published: March 8, 2025

Last Updated: March 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13895, you might also want to check these: