CVE-2024-13345 – The Avada Builder WordPress plugin allows unaut... (How to Fix)

Q: What is the severity of CVE-2024-13345?

CVE-2024-13345 has a CVSS score of 7.3 (HIGH). The Avada Builder WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation. This vulnerability affects all WordPress sites using Avada Builder versions up to 3.11.13, potentially enabling attackers to run malicious code through WordPress shortcode functionality.

📋 TL;DR

The Avada Builder WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation. This vulnerability affects all WordPress sites using Avada Builder versions up to 3.11.13, potentially enabling attackers to run malicious code through WordPress shortcode functionality.

💻 Affected Systems

Products:

Avada Builder WordPress Plugin

Versions: All versions up to and including 3.11.13

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with Avada Builder plugin enabled, regardless of theme or other plugins.

📦 What is this software?

Avada Builder by Theme Fusion

View all CVEs affecting Avada Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary PHP code, leading to complete site compromise, data theft, or server takeover if vulnerable shortcodes exist.

🟠

Likely Case

Attackers can execute existing WordPress shortcodes to create/delete content, modify settings, or access sensitive information depending on available shortcodes.

🟢

If Mitigated

With proper input validation and shortcode restrictions, impact is limited to non-critical shortcode execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires no authentication and leverages WordPress's built-in do_shortcode function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.11.14 or later

Vendor Advisory: https://avada.com/documentation/avada-changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Avada Builder. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Avada Builder Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate avada-builder

Restrict Shortcode Execution

all

Add input validation filters to prevent arbitrary shortcode execution.

Add to theme's functions.php: add_filter('pre_do_shortcode_tag', 'validate_shortcode_input', 10, 3);

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious shortcode patterns.
Restrict access to affected WordPress sites using IP whitelisting or authentication requirements.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Avada Builder version. If version is 3.11.13 or lower, system is vulnerable.

Check Version:

wp plugin get avada-builder --field=version

Verify Fix Applied:

Verify Avada Builder version is 3.11.14 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual shortcode execution patterns in WordPress debug logs
Multiple failed shortcode execution attempts from single IP

Network Indicators:

HTTP POST requests containing unusual shortcode parameters to WordPress endpoints

SIEM Query:

source="wordpress.log" AND "do_shortcode" AND ("avada" OR "fusion")

📊 Metadata

CVE ID: CVE-2024-13345

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

EPSS Score: 1.97% exploit probability (83.2th percentile)

Published: February 13, 2025

Last Updated: April 14, 2025

🔗 References

https://avada.com/documentation/avada-changelog/ Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/94f6aab3-49a7-4837-a424-e40e483f3f68?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13345, you might also want to check these: