Cyber Resilience

CVE-2024-13345

High

Published: 13 February 2025

Published
13 February 2025
Modified
14 April 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0061 70.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13345 is a high-severity Code Injection (CWE-94) vulnerability in Theme-Fusion Avada Builder. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13345 is a code injection vulnerability affecting the Avada Builder plugin for WordPress, impacting all versions up to and including 3.11.13. The flaw arises from an action in the plugin that fails to properly validate a user-supplied value before passing it to the do_shortcode function, enabling arbitrary shortcode execution. It has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by the CVSS vector. By crafting malicious requests to trigger the vulnerable action, they can execute arbitrary shortcodes on the target site, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as data disclosure, site defacement, or limited system disruption depending on the shortcodes available.

Mitigation details are available in advisories from Wordfence and the official Avada changelog, which outline patches and remediation steps for affected installations. Security practitioners should update to a patched version of the Avada Builder plugin beyond 3.11.13 and review sites running vulnerable versions for signs of exploitation.

EU & UK References

Vulnerability details

The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before…

more

running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote code injection in public-facing WordPress plugin enabling arbitrary shortcode execution via do_shortcode.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13346Same vendor: Theme-Fusion
CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94

Affected Assets

theme-fusion
avada builder
≤ 3.11.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Remediating the code injection flaw by applying patches to Avada Builder versions beyond 3.11.13 directly eliminates the arbitrary shortcode execution vulnerability.

prevent

Input validation mechanisms sanitize or reject untrusted user-supplied values before they reach the vulnerable do_shortcode function, mitigating injection attempts.

detect

Vulnerability scanning identifies systems running vulnerable Avada Builder plugin versions up to 3.11.13, enabling timely flaw remediation.

References