CVE-2024-13792
Published: 20 February 2025
Description
The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Security Summary
CVE-2024-13792, published on 2025-02-20, is an arbitrary shortcode execution vulnerability (CWE-94) in the WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress. It affects all versions up to and including 3.3.2. The issue arises because the plugin allows execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling arbitrary shortcode execution. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation allows attackers to execute arbitrary shortcodes on the targeted WordPress site, potentially resulting in low-level impacts to confidentiality, integrity, and availability.
Advisories and additional details are available from sources including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/ec425326-2729-4142-b5f4-460dfd3ed773?source=cve and the plugin page on Codecanyon at https://codecanyon.net/item/woocommerce-food-restaurant-menu-food-ordering/25457330.
Details
- CWE(s)