CVE-2024-13346
Published: 13 February 2025
Summary
CVE-2024-13346 is a high-severity Code Injection (CWE-94) vulnerability in Theme-Fusion Avada. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Avada Website Builder theme for WordPress and WooCommerce is affected by an arbitrary shortcode execution vulnerability in all versions through 7.11.13. The flaw stems from insufficient validation of an input value passed to the do_shortcode function, enabling code injection as classified under CWE-94. The issue carries a CVSS 3.1 score of 7.3 with network attack vector, low complexity, and no authentication or user interaction required.
Unauthenticated attackers can exploit the weakness remotely by invoking an action that triggers arbitrary shortcode execution, resulting in limited impacts to confidentiality, integrity, and availability on the affected WordPress site.
Public references point to the vendor changelog and Wordfence threat intelligence entry for details on available updates that address the shortcode handling flaw. The EPSS score has remained flat at 0.4785 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51545
Vulnerability details
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does…
more
not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated arbitrary shortcode execution (CWE-94) in a public-facing WordPress theme matches T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied values before processing, addressing the core flaw of insufficient validation prior to do_shortcode execution.
Ensures timely remediation of the known vulnerability in Avada theme versions up to 7.11.13 through flaw identification, reporting, and patching.
Restricts unauthorized or unvalidated inputs like arbitrary shortcode payloads to specific transactions, limiting unauthenticated exploitation opportunities.