CVE-2024-4135 - Vulnerability Details - OpenCVE

The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Joomunited	Wp Latest Posts
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts
https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve

History

Fri, 10 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		WP Latest Posts <= 5.0.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Weaknesses		CWE-94

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-08T09:31:35.378Z

Updated: 2026-04-08T16:54:28.700Z

Reserved: 2024-04-24T16:38:34.572Z

Link: CVE-2024-4135

Vulnrichment

Updated: 2024-08-01T20:33:52.659Z

NVD

Status : Awaiting Analysis

Published: 2024-05-08T10:15:08.360

Modified: 2026-04-08T18:21:41.413

Link: CVE-2024-4135

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-4135", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-24T16:38:34.572Z", "datePublished": "2024-05-08T09:31:35.378Z", "dateUpdated": "2026-04-08T16:54:28.700Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:28.700Z"}, "affected": [{"vendor": "joomunited", "product": "WP Latest Posts", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "WP Latest Posts <= 5.0.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2024-05-01T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2024-05-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:52.659Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-12T19:56:45.811647Z", "id": "CVE-2024-4135", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:59:35.131Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:52.659Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4135", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-12T19:56:45.811647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-08T14:54:21.772Z"}}], "cna": {"title": "WP Latest Posts <= 5.0.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "joomunited", "product": "WP Latest Posts", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-01T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2024-05-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts"}], "descriptions": [{"lang": "en", "value": "The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:28.700Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4135", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:28.700Z", "dateReserved": "2024-04-24T16:38:34.572Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-08T09:31:35.378Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}, {"lang": "es", "value": "El complemento WP Latest Posts para WordPress es vulnerable a la ejecuci\u00f3n arbitraria de c\u00f3digos cortos en todas las versiones hasta la 5.0.7 incluida. Esto se debe a que el complemento permite a los usuarios ejecutar una acci\u00f3n que no valida adecuadamente un valor proporcionado por el usuario antes de usar ese valor en una llamada a do_shortcode. Esto hace posible que atacantes no autenticados ejecuten c\u00f3digos cortos arbitrarios."}], "id": "CVE-2024-4135", "lastModified": "2026-04-08T18:21:41.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-08T10:15:08.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57d90ba7-b655-4655-981c-548ff96c3bb7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Primary"}]}