CVE-2024-10952: 
WordPress vulnerability analysis and mitigation

The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via the updateauthorslist_ajax AJAX action in versions up to and including 2.0.4. This vulnerability was discovered and disclosed in December 2024, affecting all installations of the Authors List plugin up to version 2.0.4 (NVD).

The vulnerability stems from improper validation of input values before executing the doshortcode function. This security flaw allows unauthenticated attackers to execute arbitrary shortcodes through the updateauthorslistajax AJAX action. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a serious security risk. The issue has been classified as CWE-94 (Improper Control of Generation of Code) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress installations. This could potentially lead to unauthorized access, information disclosure, and other security compromises depending on the available shortcodes and their functionality (NVD).

Website administrators running the Authors List plugin should immediately update to version 2.0.6.1 or later, which contains security fixes for this vulnerability. The update was released in February 2025 as part of the plugin's security improvements (WordPress Plugin).