CVE-2024-12415: Code Injection
First published: Fri Jan 31 2025(Updated: )
The The AI Infographic Maker plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.9.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress AI Infographic Maker | <=4.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://plugins.trac.wordpress.org/browser/infographic-and-list-builder-ilist/trunk/embed/qcld-embed-link.php#L46
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3210519%40infographic-and-list-builder-ilist&new=3210519%40infographic-and-list-builder-ilist&sfp_email=&sfph_mail=#file1030
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3227956%40infographic-and-list-builder-ilist&new=3227956%40infographic-and-list-builder-ilist&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0aa21fad-4dd0-4ccd-a325-de3532a6ffaf?source=cve
Frequently Asked Questions
What is the severity of CVE-2024-12415?
CVE-2024-12415 is considered a high-severity vulnerability due to its potential for arbitrary code execution.
How do I fix CVE-2024-12415?
To fix CVE-2024-12415, update the AI Infographic Maker plugin to version 4.9.1 or later.
What versions are affected by CVE-2024-12415?
CVE-2024-12415 affects all versions of the AI Infographic Maker plugin for WordPress up to and including 4.9.0.
Who is impacted by CVE-2024-12415?
Any WordPress site using the AI Infographic Maker plugin version 4.9.0 or lower is impacted by CVE-2024-12415.
What type of vulnerability is CVE-2024-12415 classified as?
CVE-2024-12415 is classified as an arbitrary shortcode execution vulnerability.
- collector/nvd-api
- source/NVD
- agent/type
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/source
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/wordpress
- canonical/wordpress ai infographic maker