CVE-2024-9837: 
WordPress vulnerability analysis and mitigation

The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress contains an arbitrary shortcode execution vulnerability (CVE-2024-9837) affecting all versions up to and including 2.0.1. The vulnerability was discovered and disclosed on October 14, 2024 by security researcher Francesco Carlucci (Wordfence Intel).

The vulnerability stems from improper validation of user input before executing the do_shortcode function. This security flaw has been assigned a CVSS v3.1 base score of 7.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD Database).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress installations. This could potentially lead to unauthorized access to sensitive information, modification of content, and other security compromises (Wordfence Intel).

The vulnerability was addressed in version 2.0.2 of the plugin. Users are strongly advised to update to this version immediately. The update includes security fixes that prevent arbitrary shortcode execution in comments by unauthorized users, with shortcodes now being disabled in comments and restricted to authorized users (Contributor+ roles) (WordPress Plugin).