CVE-2024-11012: 
WordPress vulnerability analysis and mitigation

The Notibar – Notification Bar for WordPress plugin is affected by a vulnerability tracked as CVE-2024-11012. The vulnerability allows arbitrary shortcode execution via the njtnofitext AJAX action in versions up to and including 2.1.4. The issue was discovered and reported by Arkadiusz Hydzik, and was publicly disclosed on December 13, 2024 (NVD CVE).

The vulnerability stems from improper validation of input values before executing the do_shortcode function. It has been classified as CWE-94 (Improper Control of Generation of Code). The vulnerability has received a CVSS v3.1 Base Score of 6.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity and requiring low privileges (Wordfence Intel).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes in the WordPress environment. This could potentially lead to unauthorized code execution within the context of the WordPress installation (NVD CVE).

The vulnerability has been addressed in version 2.1.5 of the Notibar plugin. Users are advised to update to the latest version to mitigate this security risk (WordPress Plugin).