CVE-2024-13797
Published: 18 February 2025
Summary
CVE-2024-13797 is a high-severity Code Injection (CWE-94) vulnerability in Presslayouts Pressmart. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13797 is an arbitrary shortcode execution vulnerability in the PressMart - Modern Elementor WooCommerce WordPress Theme for WordPress, affecting all versions up to and including 1.2.16. The issue stems from the theme allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling unauthenticated attackers to execute arbitrary shortcodes. It is rated with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation allows attackers to execute arbitrary shortcodes, which could result in low impacts to confidentiality, integrity, and availability, depending on the shortcodes used and the site's configuration.
Advisories and additional details are available from sources including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/24aa6c0b-88bc-4c3e-ada7-2e89d84bdfc3?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/pressmart-modern-elementor-woocommerce-wordpress-theme/39241221.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4803
Vulnerability details
The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not…
more
properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress application enabling arbitrary shortcode (code) execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation before do_shortcode execution, preventing unauthenticated arbitrary shortcode injection.
Remediates the specific flaw in the PressMart theme by identifying, patching, and verifying corrections to input handling in vulnerable versions up to 1.2.16.
Scans WordPress themes and components for known vulnerabilities like CVE-2024-13797, enabling detection and prioritized remediation.