CVE-2024-8478: Affiliate Super Assistent RCE Vulnerability

CVE-2024-8478 Overview

CVE-2024-8478 is an arbitrary shortcode execution vulnerability in the Affiliate Super Assistent plugin for WordPress, developed by ifeelweb. The plugin is affected in all versions up to and including 1.5.3. The flaw exists because the plugin processes user-supplied shortcodes embedded in comments when the Parse comments option is enabled. Unauthenticated attackers can submit comments containing arbitrary shortcodes that the plugin then executes during rendering. This issue is tracked under [CWE-94] Improper Control of Generation of Code.

Critical Impact

Unauthenticated attackers can execute arbitrary WordPress shortcodes through blog comments, potentially abusing any shortcode registered by WordPress core, themes, or other installed plugins.

Affected Products

• Ifeelweb Affiliate Super Assistent plugin for WordPress
• All versions up to and including 1.5.3
• WordPress sites with the Parse comments option enabled

Discovery Timeline

• 2024-09-10 - CVE-2024-8478 published to the National Vulnerability Database (NVD)
• 2024-09-26 - Last updated in NVD database

Technical Details for CVE-2024-8478

Vulnerability Analysis

The Affiliate Super Assistent plugin extends WordPress comment rendering with an option to parse shortcodes inside comment content. When Parse comments is enabled, comment text is passed through WordPress's do_shortcode() processing prior to display. Because comment submission does not require authentication on most WordPress sites, any visitor can introduce shortcode payloads into the comment stream. The plugin does not restrict which shortcodes can appear, nor does it validate the originating user role before processing.

The consequence is execution of arbitrary shortcodes registered anywhere on the site. An attacker can invoke shortcodes provided by other plugins, including those that disclose information, perform privileged actions, or alter page output. The impact varies depending on which shortcodes are registered in the target environment.

Root Cause

The root cause is missing input validation and authorization checks on shortcode processing in comment content. The plugin treats comment input as trusted and routes it through the shortcode parser without enforcing an allow-list. This pattern maps directly to [CWE-94], where untrusted input controls code generation logic.

Attack Vector

Exploitation is performed remotely over the network with no authentication and no user interaction. An attacker submits a comment containing one or more shortcode tags to any post that accepts comments. When the comment is rendered, the plugin executes the embedded shortcodes server-side. Sites that auto-approve comments are exposed without administrator interaction, while sites with moderation require an administrator to approve the comment for execution.

No public proof-of-concept exploit is listed for CVE-2024-8478, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog. Refer to the Wordfence Vulnerability Analysis and the WordPress Plugin Code Review for technical details.

Detection Methods for CVE-2024-8478

Indicators of Compromise

• Comments containing bracketed shortcode syntax such as [shortcode_name] submitted by anonymous or low-reputation users.
• Web server access logs showing POST requests to wp-comments-post.php with payloads containing [ and ] shortcode delimiters.
• Unexpected output blocks, redirects, or affiliate links appearing inside rendered comments.

Detection Strategies

• Inspect the WordPress wp_comments table for comment_content values containing shortcode brackets, particularly from unauthenticated submissions.
• Review the plugin settings page and confirm whether the Parse comments option is enabled, which is the precondition for exploitation.
• Correlate comment submissions with subsequent unusual outbound requests or content modifications on the affected post.

Monitoring Recommendations

• Alert on HTTP POST requests to comment endpoints with bodies matching shortcode patterns from unauthenticated sessions.
• Monitor for new comments referencing shortcodes registered by sensitive plugins such as e-commerce, membership, or file-handling extensions.
• Track plugin version inventory across WordPress sites and flag installations of Affiliate Super Assistent at or below 1.5.3.

How to Mitigate CVE-2024-8478

Immediate Actions Required

• Update the Affiliate Super Assistent plugin to a version newer than 1.5.3 once the vendor publishes a fixed release.
• Disable the Parse comments option in the plugin settings to remove the exploitable code path.
• Deactivate or remove the plugin if it is not actively used on the site.

Patch Information

The vendor committed changes to the plugin repository, recorded in the WordPress Plugin Change Log. Site administrators should apply the latest available plugin update through the WordPress administration dashboard and verify the installed version reflects the patched release.

Workarounds

• Turn off the Parse comments setting in the Affiliate Super Assistent configuration to block shortcode processing in comments.
• Require comment moderation so that no anonymous comment is rendered without administrator review.
• Deploy a Web Application Firewall (WAF) rule that blocks comment submissions containing shortcode bracket syntax from unauthenticated visitors.
• Restrict comments site-wide on posts that do not require user interaction.

# Configuration example: disable comments globally via WP-CLI as a temporary workaround
wp option update default_comment_status closed
wp post list --post_type=post --format=ids | xargs -d ' ' -I % wp post update % --comment_status=closed