CVE-2024-13495
Published: 22 January 2025
Description
The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the gamipress_ajax_get_logs() function in all versions up to, and including, 7.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Security Summary
CVE-2024-13495 is an arbitrary shortcode execution vulnerability in the GamiPress – Gamification plugin for WordPress, affecting all versions up to and including 7.2.1. The issue resides in the gamipress_ajax_get_logs() function within the plugin's AJAX handlers, where a user-supplied value is passed to WordPress's do_shortcode() without proper validation, enabling execution of arbitrary shortcodes. This flaw is classified under CWE-94 (Improper Control of Generation of Code) and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By sending a crafted request to the gamipress_ajax_get_logs() endpoint, they can inject and execute arbitrary shortcodes, potentially compromising site confidentiality, integrity, or availability to a low degree depending on the shortcode's capabilities.
Patches and mitigation details are referenced in WordPress plugin trac resources, including the vulnerable code at line 39 of ajax-functions.php and the fix in changeset 3226227. Additional guidance appears in the GamiPress developers section on wordpress.org/plugins/gamipress and Wordfence threat intelligence at their vulnerability page. Security practitioners should update affected installations immediately.
Details
- CWE(s)