CVE-2024-11976
Arbitrary Shortcode Execution in BuddyPress Plugin
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| buddy_press | buddy_press | to 14.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the BuddyPress plugin to version 14.3.4 or later, where the vulnerability is fixed by enhanced permission checks and sanitization in bulk notification management functions. Additionally, ensure your WordPress installation and PHP version meet the minimum requirements (PHP 5.6 and WordPress 6.1 or higher) as required by the updated plugin. Applying this update will prevent unauthorized shortcode execution and unauthorized notification manipulation. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary shortcode execution via the BuddyPress plugin up to version 14.3.3. Detection can involve checking if your WordPress installation uses BuddyPress plugin version 14.3.3 or earlier. Since the vulnerability allows unauthenticated shortcode execution, monitoring for unusual shortcode execution or unexpected AJAX requests related to BuddyPress messaging might help. However, no specific detection commands or network signatures are provided in the resources. You can check the BuddyPress plugin version via WP-CLI with the command: `wp plugin list --status=active | grep buddypress` to verify if the vulnerable version is installed. [1, 2]
Can you explain this vulnerability to me?
The vulnerability in the BuddyPress plugin for WordPress (up to version 14.3.3) allows unauthenticated attackers to execute arbitrary shortcodes. This happens because the plugin does not properly validate input before running the do_shortcode function, enabling attackers to run arbitrary shortcode actions without authentication.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary shortcodes on your WordPress site without authentication. This could lead to unauthorized actions such as content injection, execution of malicious code, or other unintended behaviors that compromise the integrity, confidentiality, and availability of your site.