Arbitrary Shortcode Execution Vulnerability in Avada Theme by ThemeFusion
CVE-2024-13346

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Avada | Website Builder For WordPress & WooCommerce
Vendor: CVE Published:; 13 February 2025

Summary

The Avada Theme, a popular website builder for WordPress and WooCommerce, is susceptible to arbitrary shortcode execution in all versions up to and including 7.11.13. The vulnerability arises from inadequate validation of values that users can execute. This flaw allows unauthenticated attackers to run arbitrary shortcodes, potentially compromising the integrity of the website and leading to unauthorized access or manipulation of site content.

Affected Version(s)

Avada | Website Builder For WordPress & WooCommerce * <= 7.11.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://avada.com/documentation/avada-changelog/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Jan 11, 2025

Credit

Michael Mazzolini