CVE-2024-8481: 
WordPress vulnerability analysis and mitigation

The Special Text Boxes plugin for WordPress contains a vulnerability (CVE-2024-8481) that allows arbitrary shortcode execution in versions up to and including 6.2.2. The vulnerability was discovered and disclosed on September 24, 2024, affecting all installations of the Special Text Boxes WordPress plugin up to version 6.2.2 (NVD, Wordfence).

The vulnerability stems from the plugin adding the filter addfilter('commenttext', 'do_shortcode') which enables the execution of all shortcodes in comments. This implementation creates a security weakness classified as CWE-94 (Improper Control of Generation of Code). The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes through comments, potentially leading to unauthorized access to site functionality and possible security compromises. The impact affects confidentiality, integrity, and availability of the WordPress installation, as indicated by the CVSS scoring (NVD).

Site administrators should immediately update the Special Text Boxes plugin to a version newer than 6.2.2 if available. If an update is not available, it is recommended to disable the plugin until a security patch is released (NVD).