Cyber Resilience

CVE-2024-13797

High

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0040 60.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13797 is a high-severity Code Injection (CWE-94) vulnerability in Presslayouts Pressmart. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13797 is an arbitrary shortcode execution vulnerability in the PressMart - Modern Elementor WooCommerce WordPress Theme for WordPress, affecting all versions up to and including 1.2.16. The issue stems from the theme allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling unauthenticated attackers to execute arbitrary shortcodes. It is rated with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation allows attackers to execute arbitrary shortcodes, which could result in low impacts to confidentiality, integrity, and availability, depending on the shortcodes used and the site's configuration.

Advisories and additional details are available from sources including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/24aa6c0b-88bc-4c3e-ada7-2e89d84bdfc3?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/pressmart-modern-elementor-woocommerce-wordpress-theme/39241221.

EU & UK References

Vulnerability details

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not…

more

properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing WordPress application enabling arbitrary shortcode (code) execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

presslayouts
pressmart
≤ 1.2.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation before do_shortcode execution, preventing unauthenticated arbitrary shortcode injection.

prevent

Remediates the specific flaw in the PressMart theme by identifying, patching, and verifying corrections to input handling in vulnerable versions up to 1.2.16.

detectrespond

Scans WordPress themes and components for known vulnerabilities like CVE-2024-13797, enabling detection and prioritized remediation.

References