Cyber Resilience

CVE-2024-13346

High

Published: 13 February 2025

Published
13 February 2025
Modified
24 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.4785 97.8th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13346 is a high-severity Code Injection (CWE-94) vulnerability in Theme-Fusion Avada. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Avada Website Builder theme for WordPress and WooCommerce is affected by an arbitrary shortcode execution vulnerability in all versions through 7.11.13. The flaw stems from insufficient validation of an input value passed to the do_shortcode function, enabling code injection as classified under CWE-94. The issue carries a CVSS 3.1 score of 7.3 with network attack vector, low complexity, and no authentication or user interaction required.

Unauthenticated attackers can exploit the weakness remotely by invoking an action that triggers arbitrary shortcode execution, resulting in limited impacts to confidentiality, integrity, and availability on the affected WordPress site.

Public references point to the vendor changelog and Wordfence threat intelligence entry for details on available updates that address the shortcode handling flaw. The EPSS score has remained flat at 0.4785 with no indicated rise after disclosure.

EU & UK References

Vulnerability details

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does…

more

not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of unauthenticated arbitrary shortcode execution (CWE-94) in a public-facing WordPress theme matches T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13345Same vendor: Theme-Fusion
CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94

Affected Assets

theme-fusion
avada
≤ 7.11.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied values before processing, addressing the core flaw of insufficient validation prior to do_shortcode execution.

prevent

Ensures timely remediation of the known vulnerability in Avada theme versions up to 7.11.13 through flaw identification, reporting, and patching.

prevent

Restricts unauthorized or unvalidated inputs like arbitrary shortcode payloads to specific transactions, limiting unauthenticated exploitation opportunities.

References