CVE-2024-13797
Published: 18 February 2025
Description
The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Security Summary
CVE-2024-13797 is an arbitrary shortcode execution vulnerability in the PressMart - Modern Elementor WooCommerce WordPress Theme for WordPress, affecting all versions up to and including 1.2.16. The issue stems from the theme allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling unauthenticated attackers to execute arbitrary shortcodes. It is rated with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation allows attackers to execute arbitrary shortcodes, which could result in low impacts to confidentiality, integrity, and availability, depending on the shortcodes used and the site's configuration.
Advisories and additional details are available from sources including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/24aa6c0b-88bc-4c3e-ada7-2e89d84bdfc3?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/pressmart-modern-elementor-woocommerce-wordpress-theme/39241221.
Details
- CWE(s)