Arbitrary Shortcode Execution in Shortcodes by United Themes for WordPress
CVE-2024-13557

6.5MEDIUM

Key Information:

Vendor: United Themes
Status: Shortcodes By United Themes
Vendor: CVE Published:; 29 March 2025

Summary

The Shortcodes by United Themes plugin for WordPress contains a significant vulnerability allowing unauthenticated users to execute arbitrary shortcodes. This issue arises from inadequate validation of user input before invoking the do_shortcode function, posing a security risk for all versions up to and including 5.1.6. Attackers exploiting this flaw can execute harmful commands, potentially leading to unauthorized control over affected WordPress sites.

Affected Version(s)

Shortcodes by United Themes * <= 5.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://unitedthemes.com/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 29, 2025
Vulnerability Reserved
Jan 20, 2025

Credit

Michael Mazzolini