CVE-2024-11733: 
WordPress vulnerability analysis and mitigation

The WordPress Popular Posts plugin for WordPress contains a vulnerability tracked as CVE-2024-11733, which affects all versions up to and including 7.1.0. The vulnerability was publicly disclosed on January 3, 2025, and allows for arbitrary shortcode execution. This security flaw impacts users of the WordPress Popular Posts plugin, a widely-used WordPress extension (NVD Database, WPScan Database).

The vulnerability is classified as a Code Injection (CWE-94) issue with a CVSS v3.1 base score of 7.3 (High). The security flaw stems from the plugin's failure to properly validate input values before executing the do_shortcode function, allowing unauthenticated attackers to execute arbitrary shortcodes. The vulnerability has been assigned the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD Database).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, which could lead to various security implications including information disclosure, integrity compromise, and potential system disruption. The CVSS score of 7.3 indicates a high severity impact, with potential consequences affecting the confidentiality, integrity, and availability of the affected systems (WPScan Database).

The vulnerability has been patched in version 7.2.0 of the WordPress Popular Posts plugin. Users are strongly advised to update to this latest version to mitigate the security risk (WPScan Database).