Arbitrary Shortcode Execution Vulnerability in Avada Theme by ThemeFusion
CVE-2024-13346

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Avada | Website Builder For WordPress & WooCommerce
Vendor: CVE Published:; 13 February 2025

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 10%

Summary

The Avada Theme, a popular website builder for WordPress and WooCommerce, is susceptible to arbitrary shortcode execution in all versions up to and including 7.11.13. The vulnerability arises from inadequate validation of values that users can execute. This flaw allows unauthenticated attackers to run arbitrary shortcodes, potentially compromising the integrity of the website and leading to unauthorized access or manipulation of site content.

Affected Version(s)

Avada | Website Builder For WordPress & WooCommerce * <= 7.11.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-13346
Created by tausifzaman

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://avada.com/documentation/avada-changelog/

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 22, 2025
👾
Exploit known to exist
Mar 22, 2025
Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Jan 11, 2025

Credit

Michael Mazzolini