CVE-2024-13346

The Avada Website Builder theme for WordPress and WooCommerce is vulnerable to CVE-2024-13346, an arbitrary shortcode execution flaw affecting all versions up to and including 7.11.13. The vulnerability stems from the software permitting execution of an action without properly validating a supplied value before invoking the do_shortcode function, as classified under CWE-94. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this remotely with low attack complexity, no privileges, and no user interaction required. Exploitation enables execution of arbitrary shortcodes, granting limited impacts on confidentiality, integrity, and availability, such as potential data disclosure, modification, or disruption via malicious shortcode payloads.

For mitigation, security practitioners should review the official Avada changelog at https://avada.com/documentation/avada-changelog/ and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/1f2f390b-332b-452c-9fe7-ccd1a45390dd?source=cve, which detail patches and remediation steps.