CVE-2024-13345
Published: 13 February 2025
Summary
CVE-2024-13345 is a high-severity Code Injection (CWE-94) vulnerability in Theme-Fusion Avada Builder. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13345 is a code injection vulnerability affecting the Avada Builder plugin for WordPress, impacting all versions up to and including 3.11.13. The flaw arises from an action in the plugin that fails to properly validate a user-supplied value before passing it to the do_shortcode function, enabling arbitrary shortcode execution. It has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by the CVSS vector. By crafting malicious requests to trigger the vulnerable action, they can execute arbitrary shortcodes on the target site, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as data disclosure, site defacement, or limited system disruption depending on the shortcodes available.
Mitigation details are available in advisories from Wordfence and the official Avada changelog, which outline patches and remediation steps for affected installations. Security practitioners should update to a patched version of the Avada Builder plugin beyond 3.11.13 and review sites running vulnerable versions for signs of exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51544
Vulnerability details
The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before…
more
running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote code injection in public-facing WordPress plugin enabling arbitrary shortcode execution via do_shortcode.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the code injection flaw by applying patches to Avada Builder versions beyond 3.11.13 directly eliminates the arbitrary shortcode execution vulnerability.
Input validation mechanisms sanitize or reject untrusted user-supplied values before they reach the vulnerable do_shortcode function, mitigating injection attempts.
Vulnerability scanning identifies systems running vulnerable Avada Builder plugin versions up to 3.11.13, enabling timely flaw remediation.