CVE-2024-11036: 
WordPress vulnerability analysis and mitigation

The GamiPress WordPress plugin (versions up to and including 7.1.5) contains an arbitrary shortcode execution vulnerability through the gamipress_get_user_earnings AJAX action. The vulnerability was discovered and disclosed on November 18, 2024, and is tracked as CVE-2024-11036. This security issue affects all installations of the GamiPress plugin, which is a gamification tool used to reward points, achievements, badges, and ranks in WordPress (Wordfence).

The vulnerability stems from improper validation of values before executing the do_shortcode function, allowing unauthenticated attackers to execute arbitrary shortcodes through the gamipress_get_user_earnings AJAX action. The severity of this vulnerability has been assessed with two different CVSS v3.1 scores: NIST rates it as CRITICAL with a base score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Wordfence assigns it a HIGH severity with a base score of 7.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress installations. This could potentially lead to various security implications including unauthorized access, data manipulation, and system compromise due to the high severity nature of the vulnerability (NVD).

Website administrators running affected versions of the GamiPress plugin should upgrade to version 7.1.6 or later, which contains the security fix for this vulnerability (NVD).