CVE-2024-13900

Medium

Published: 21 February 2025

Published

21 February 2025

Modified

25 February 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 28.7th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Description

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments.

Security Summary

CVE-2024-13900 is a PHP Code Injection vulnerability (CWE-94) in the Head, Footer and Post Injections plugin for WordPress, affecting all versions up to and including 3.3.0. The flaw exists specifically in multisite environments, where improper input handling allows malicious code execution.

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network. Exploitation requires high attack complexity but no user interaction, potentially resulting in limited impacts to confidentiality, integrity, and availability, as scored at CVSS 4.1 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

Advisories recommend updating the plugin beyond version 3.3.0 to mitigate the issue, with the WordPress plugin trac changeset 3244016 documenting the fix and Wordfence providing threat intelligence details at their referenced page.

Details

CWE(s): CWE-94

Affected Products

satollo

head\, footer\, and post injections

≤ 3.3.1

References

https://plugins.trac.wordpress.org/changeset/3244016/
Patch · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/5177bde6-4922-48ee-9155-577c392809a0?source=cve
Third Party Advisory · security@wordfence.com