AI Infographic Maker WordPress Plugin Arbitrary Shortcode Execution Vulnerability

A vulnerability allowing arbitrary shortcode execution has been identified in the AI Infographic Maker plugin for WordPress, affecting all versions through 4.9.0. The issue arises because the plugin does not properly validate user input before executing shortcodes, enabling unauthenticated attackers to execute arbitrary shortcodes on the site.

Impact

Exploitation of this vulnerability allows for arbitrary shortcode execution, which could be used to manipulate content or functionality on the affected WordPress site.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with the 'order', 'mode', 'column', 'style', 'search', 'category', 'upvote', 'list_id', and 'capture' parameters. The 'order' parameter can be set to 'ASC' or 'DESC', while the 'mode' parameter can be set to 'one' or 'two'. The 'column' parameter can be set to any value, and the 'style' parameter can also be customized. Once the request is sent, the plugin will execute the specified shortcode with the provided parameters, without proper validation.

Remediation

Users are advised to update the AI Infographic Maker plugin to version 5.0.0 or later, where this vulnerability has been patched.