CVE-2024-9846: 
WordPress vulnerability analysis and mitigation

The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress contains a vulnerability (CVE-2024-9846) that allows arbitrary shortcode execution in all versions up to and including 1.0.0. The vulnerability was discovered and reported by Wordfence, with public disclosure on October 29, 2024 (Wordfence).

The vulnerability stems from the plugin's failure to properly validate values before executing the do_shortcode function. This security flaw has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress installations. This could potentially lead to unauthorized access, data manipulation, and compromise of website functionality (NVD).

As of October 28, 2024, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue (WordPress). Users are advised to remove this plugin from their WordPress installations.