Cyber Posture

CVE-2024-13792

High

Published: 20 February 2025

Published
20 February 2025
Modified
10 September 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0025 47.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13792 is a high-severity Code Injection (CWE-94) vulnerability in Exthemes Woocommerce Food. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the vulnerability's root cause by requiring validation of user inputs before processing, preventing arbitrary shortcode execution via unvalidated values passed to do_shortcode.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of flaws like this arbitrary shortcode execution in vulnerable plugin versions up to 3.3.2.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables detection of the CVE through vulnerability scanning of installed WordPress plugins, facilitating remediation before unauthenticated exploitation.

NVD Description

The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execute an action that does…

more

not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Deeper analysisAI

CVE-2024-13792, published on 2025-02-20, is an arbitrary shortcode execution vulnerability (CWE-94) in the WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress. It affects all versions up to and including 3.3.2. The issue arises because the plugin allows execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling arbitrary shortcode execution. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation allows attackers to execute arbitrary shortcodes on the targeted WordPress site, potentially resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories and additional details are available from sources including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/ec425326-2729-4142-b5f4-460dfd3ed773?source=cve and the plugin page on Codecanyon at https://codecanyon.net/item/woocommerce-food-restaurant-menu-food-ordering/25457330.

Details

CWE(s)
CWE-94

Affected Products

exthemes
woocommerce food
≤ 3.3.3

CVEs Like This One

CVE-2024-13472Same product class: WordPress / CMS plugin
CVE-2025-2328Same product class: WordPress / CMS plugin
CVE-2024-10591Same product class: WordPress / CMS plugin
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-1323Same product class: WordPress / CMS plugin
CVE-2024-13875Same product class: WordPress / CMS plugin
CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin

References