CVE-2024-9772
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the Uix Shortcodes plugin. All WordPress sites using this plugin up to version 1.9.9 are affected. Attackers can leverage this to potentially execute malicious code or access restricted functionality.
💻 Affected Systems
- Uix Shortcodes – Compatible with Gutenberg WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary PHP code through shortcodes that support code execution, leading to complete site compromise, data theft, or malware installation.
Likely Case
Attackers will execute existing shortcodes to access restricted functionality, display unauthorized content, or perform actions like user enumeration, post creation, or privilege escalation.
If Mitigated
With proper input validation and shortcode sanitization, the impact is limited to executing only safe, predefined shortcodes.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and involves simple HTTP requests with malicious shortcode parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.0 or later
Vendor Advisory: https://wordpress.org/plugins/uix-shortcodes/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Uix Shortcodes – Compatible with Gutenberg'. 4. Click 'Update Now' if available, or delete and reinstall latest version. 5. Verify version is 1.10.0 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Uix Shortcodes plugin until patched
wp plugin deactivate uix-shortcodes
Restrict access via WAF
allBlock requests containing suspicious shortcode parameters
🧯 If You Can't Patch
- Implement web application firewall rules to block requests with suspicious shortcode parameters
- Disable the Uix Shortcodes plugin entirely and use alternative shortcode solutions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Uix Shortcodes version. If version is 1.9.9 or lower, you are vulnerable.Check Version:
wp plugin get uix-shortcodes --field=versionVerify Fix Applied:
After update, verify plugin version shows 1.10.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress endpoints with shortcode parameters
- Multiple failed shortcode execution attempts in WordPress debug logs
Network Indicators:
- HTTP requests containing unusual shortcode patterns or encoded payloads
- Traffic spikes to WordPress admin-ajax.php or similar endpoints
SIEM Query:
source="wordpress.log" AND (shortcode OR do_shortcode) AND (POST OR PUT) AND status=200