Germanized for WooCommerce Unauthenticated Arbitrary Shortcode Execution Vulnerability

A vulnerability exists in the Germanized for WooCommerce plugin for WordPress, allowing for arbitrary shortcode execution. This issue affects all versions through 3.20.5. The vulnerability arises because the plugin does not properly validate the 'account_holder' parameter before executing shortcodes, enabling unauthenticated attackers to execute arbitrary shortcodes.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of shortcodes, which may allow attackers to inject and execute malicious code or actions on the WordPress site.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the Germanized for WooCommerce plugin installed, using the 'account_holder' parameter to include a shortcode. The plugin will execute the shortcode without proper validation, allowing for arbitrary code execution.

Remediation

Users are advised to update the Germanized for WooCommerce plugin to version 3.20.6 or a newer patched version.