Cyber Resilience

CVE-2024-13792

High

Published: 20 February 2025

Published
20 February 2025
Modified
10 September 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0025 48.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13792 is a high-severity Code Injection (CWE-94) vulnerability in Exthemes Woocommerce Food. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13792, published on 2025-02-20, is an arbitrary shortcode execution vulnerability (CWE-94) in the WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress. It affects all versions up to and including 3.3.2. The issue arises because the plugin allows execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling arbitrary shortcode execution. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation allows attackers to execute arbitrary shortcodes on the targeted WordPress site, potentially resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories and additional details are available from sources including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/ec425326-2729-4142-b5f4-460dfd3ed773?source=cve and the plugin page on Codecanyon at https://codecanyon.net/item/woocommerce-food-restaurant-menu-food-ordering/25457330.

EU & UK References

Vulnerability details

The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execute an action that does…

more

not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of public-facing WordPress plugin via arbitrary shortcode/code injection (CWE-94).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13472Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2024-13904Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin
CVE-2025-13773Shared CWE-94

Affected Assets

exthemes
woocommerce food
≤ 3.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability's root cause by requiring validation of user inputs before processing, preventing arbitrary shortcode execution via unvalidated values passed to do_shortcode.

prevent

Mandates timely identification, reporting, and correction of flaws like this arbitrary shortcode execution in vulnerable plugin versions up to 3.3.2.

detect

Enables detection of the CVE through vulnerability scanning of installed WordPress plugins, facilitating remediation before unauthenticated exploitation.

References