{"api_version":"1","generated_at":"2026-04-23T18:37:26+00:00","cve":"CVE-2024-12417","urls":{"html":"https://cve.report/CVE-2024-12417","api":"https://cve.report/api/cve/CVE-2024-12417.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-12417","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-12417"},"summary":{"title":"Simple Link Directory <= 8.4.5 - Unauthenticated Arbitrary Shortcode Execution","description":"The The Simple Link Directory plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.4.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-12-13 09:15:08","updated_at":"2026-04-08 19:20:00"},"problem_types":["CWE-94","CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/simple-link-directory/trunk/embed/qcopd-embed-link.php#L17","name":"https://plugins.trac.wordpress.org/browser/simple-link-directory/trunk/embed/qcopd-embed-link.php#L17","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b7112840-f190-4867-9408-c96408f28b7a?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b7112840-f190-4867-9408-c96408f28b7a?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3232625/","name":"https://plugins.trac.wordpress.org/changeset/3232625/","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3206971/simple-link-directory/trunk/embed/qcopd-embed-link.php","name":"https://plugins.trac.wordpress.org/changeset/3206971/simple-link-directory/trunk/embed/qcopd-embed-link.php","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-12417","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12417","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"quantumcloud","product":"Simple Link Directory","version":"affected 8.4.5 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-12-12T19:48:27.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Arkadiusz Hydzik","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"12417","cve":"CVE-2024-12417","epss":"0.009840000","percentile":"0.768100000","score_date":"2026-04-13","updated_at":"2026-04-14 00:12:06"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-12417","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-12-16T15:59:35.724610Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-12-16T16:41:33.641Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Simple Link Directory","vendor":"quantumcloud","versions":[{"lessThanOrEqual":"8.4.5","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Arkadiusz Hydzik"}],"descriptions":[{"lang":"en","value":"The The Simple Link Directory plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.4.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}],"metrics":[{"cvssV3_1":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:17:36.175Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b7112840-f190-4867-9408-c96408f28b7a?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/simple-link-directory/trunk/embed/qcopd-embed-link.php#L17"},{"url":"https://plugins.trac.wordpress.org/changeset/3206971/simple-link-directory/trunk/embed/qcopd-embed-link.php"},{"url":"https://plugins.trac.wordpress.org/changeset/3232625/"}],"timeline":[{"lang":"en","time":"2024-12-12T19:48:27.000Z","value":"Disclosed"}],"title":"Simple Link Directory <= 8.4.5 - Unauthenticated Arbitrary Shortcode Execution"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-12417","datePublished":"2024-12-13T08:24:51.341Z","dateReserved":"2024-12-10T16:04:13.251Z","dateUpdated":"2026-04-08T17:17:36.175Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-12-13 09:15:08","lastModifiedDate":"2026-04-08 19:20:00","problem_types":["CWE-94","CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"12417","Ordinal":"1","Title":"Simple Link Directory <= 8.4.5 - Unauthenticated Arbitrary Short","CVE":"CVE-2024-12417","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"12417","Ordinal":"1","NoteData":"The The Simple Link Directory plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.4.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.","Type":"Description","Title":"Simple Link Directory <= 8.4.5 - Unauthenticated Arbitrary Short"}]}}}