CVE-2024-10958 Overview
CVE-2024-10958 affects the WP Photo Album Plus plugin for WordPress through version 8.8.08.007. The plugin exposes the getshortcodedrenderedfenodelay AJAX action without proper input validation. Unauthenticated attackers can pass arbitrary shortcode strings to this endpoint, which the plugin then passes directly to WordPress's do_shortcode function. This results in arbitrary shortcode execution against any vulnerable WordPress site running the plugin. The flaw is classified under [CWE-94] (Improper Control of Generation of Code).
Critical Impact
Unauthenticated remote attackers can execute arbitrary WordPress shortcodes, enabling content manipulation, information disclosure, and potential abuse of other plugins' shortcode handlers.
Affected Products
- WP Photo Album Plus plugin for WordPress, all versions up to and including 8.8.08.007
- WordPress sites running the vulnerable wppa-ajax.php handler
- Sites combining WP Photo Album Plus with other shortcode-providing plugins
Discovery Timeline
- 2024-11-10 - CVE-2024-10958 published to NVD
- 2024-11-14 - Last updated in NVD database
Technical Details for CVE-2024-10958
Vulnerability Analysis
The vulnerability resides in the wppa-ajax.php file of the WP Photo Album Plus plugin. The AJAX action getshortcodedrenderedfenodelay is registered for both authenticated and unauthenticated requests through wp_ajax_nopriv_. The handler accepts a user-supplied parameter and passes it directly into WordPress's do_shortcode function without sanitization or capability checks.
WordPress's do_shortcode parses and executes any registered shortcode in the supplied string. Because shortcodes can be registered by any installed plugin or theme, an attacker can invoke shortcodes from unrelated components. This expands the impact beyond the photo album plugin itself to any shortcode handler available on the site.
The EPSS score of approximately 55.7% places this issue in the top 2% of vulnerabilities most likely to be exploited, reflecting both ease of exploitation and broad plugin deployment.
Root Cause
The root cause is missing input validation and missing authorization. The handler does not verify the caller's identity, does not enforce a nonce, and does not restrict which shortcodes can be rendered. Any string reaching the parameter is treated as trusted shortcode markup.
Attack Vector
Exploitation requires only a network-reachable WordPress site running the vulnerable plugin. An attacker sends an HTTP POST request to /wp-admin/admin-ajax.php with action=getshortcodedrenderedfenodelay and a crafted shortcode payload. The server processes the shortcode and returns the rendered output to the attacker. No authentication, user interaction, or special privileges are needed. See the WordPress Plugin Source Code for the affected handler and the Wordfence Vulnerability Report for additional analysis.
Detection Methods for CVE-2024-10958
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=getshortcodedrenderedfenodelay from unauthenticated sources.
- Unexpected shortcode execution patterns in WordPress debug or access logs referencing plugin shortcodes the site does not normally render externally.
- Outbound network connections initiated by PHP workers immediately following AJAX requests to the vulnerable endpoint.
Detection Strategies
- Inspect web server logs for the string getshortcodedrenderedfenodelay in query strings or POST bodies, especially from anonymous clients.
- Deploy WordPress security plugins or web application firewall (WAF) rules that flag AJAX actions invoking do_shortcode without an authenticated session.
- Correlate spikes in admin-ajax.php traffic with the installed plugin version using the wppa:wp_photo_album_plus component identifier.
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a central SIEM for correlation across hosts.
- Alert on repeated unauthenticated requests to admin-ajax.php that include shortcode delimiters such as [ and ] in parameters.
- Track outbound HTTP requests from web servers to detect shortcodes that trigger remote content fetches.
How to Mitigate CVE-2024-10958
Immediate Actions Required
- Update WP Photo Album Plus to a version newer than 8.8.08.007 that includes the fix from changeset 3184852.
- Audit admin-ajax.php logs for prior exploitation attempts referencing getshortcodedrenderedfenodelay.
- Review installed plugins and themes for shortcodes that perform sensitive actions such as data export or remote requests.
Patch Information
The vendor addressed the issue in the WP Photo Album Plus plugin. Refer to the WordPress Plugin Changeset for the corrective code change and to the WordPress Developer Resources for current plugin releases.
Workarounds
- Deactivate and remove the WP Photo Album Plus plugin until patching is possible.
- Add WAF rules blocking unauthenticated POST requests where action=getshortcodedrenderedfenodelay.
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible without breaking site functionality.
# Configuration example: nginx rule to block the vulnerable AJAX action
location = /wp-admin/admin-ajax.php {
if ($arg_action = "getshortcodedrenderedfenodelay") { return 403; }
if ($request_body ~* "action=getshortcodedrenderedfenodelay") { return 403; }
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
