CVE-2024-13345
Published: 13 February 2025
Description
The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Security Summary
CVE-2024-13345 is a code injection vulnerability affecting the Avada Builder plugin for WordPress, impacting all versions up to and including 3.11.13. The flaw arises from an action in the plugin that fails to properly validate a user-supplied value before passing it to the do_shortcode function, enabling arbitrary shortcode execution. It has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by the CVSS vector. By crafting malicious requests to trigger the vulnerable action, they can execute arbitrary shortcodes on the target site, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as data disclosure, site defacement, or limited system disruption depending on the shortcodes available.
Mitigation details are available in advisories from Wordfence and the official Avada changelog, which outline patches and remediation steps for affected installations. Security practitioners should update to a patched version of the Avada Builder plugin beyond 3.11.13 and review sites running vulnerable versions for signs of exploitation.
Details
- CWE(s)