CVE-2024-13346 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-13346?

CVE-2024-13346 has a CVSS score of 7.3 (HIGH). This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes in the Avada WordPress theme, potentially leading to remote code execution or data manipulation. It affects all Avada theme versions up to and including 7.11.13 on WordPress sites using this theme.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes in the Avada WordPress theme, potentially leading to remote code execution or data manipulation. It affects all Avada theme versions up to and including 7.11.13 on WordPress sites using this theme.

💻 Affected Systems

Products:

Avada | Website Builder For WordPress & WooCommerce theme

Versions: All versions up to and including 7.11.13

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: This affects WordPress installations with the Avada theme active; no specific configuration is required for exploitation.

📦 What is this software?

Avada by Theme Fusion

View all CVEs affecting Avada →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary code on the server, leading to full system compromise, data theft, or site defacement.

🟠

Likely Case

Attackers may inject malicious shortcodes to redirect users, display unauthorized content, or perform limited data exfiltration.

🟢

If Mitigated

With proper input validation and patching, the risk is reduced to minimal, preventing shortcode execution.

🌐 Internet-Facing: HIGH, as the vulnerability is exploitable by unauthenticated attackers and affects publicly accessible WordPress sites.

🏢 Internal Only: MEDIUM, as internal systems may still be vulnerable if exposed to internal threats, but external attack surface is limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward due to lack of input validation, but no public proof-of-concept is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 7.11.14 or later

Vendor Advisory: https://avada.com/documentation/avada-changelog/

Restart Required: No

Instructions:

1. Log into the WordPress admin dashboard. 2. Navigate to Appearance > Themes. 3. Check for updates on the Avada theme. 4. Update to version 7.11.14 or higher. 5. Verify the update completes successfully.

🔧 Temporary Workarounds

Disable vulnerable action

WordPress

Remove or disable the action that allows shortcode execution if patching is not immediately possible.

Consult theme documentation or developer for specific code modifications; no universal command available.

🧯 If You Can't Patch

Restrict access to the WordPress admin and vulnerable endpoints using a web application firewall (WAF).
Monitor logs for unusual shortcode execution attempts and block suspicious IP addresses.

🔍 How to Verify

Check if Vulnerable:

Check the Avada theme version in WordPress admin under Appearance > Themes; if version is 7.11.13 or lower, it is vulnerable.

Check Version:

In WordPress, use: wp theme list --field=name,version | grep Avada (requires WP-CLI)

Verify Fix Applied:

After updating, confirm the Avada theme version is 7.11.14 or higher in the same location.

📡 Detection & Monitoring

Log Indicators:

Look for HTTP requests containing unusual shortcode parameters or patterns in WordPress or web server logs.

Network Indicators:

Monitor for unexpected outbound connections or data exfiltration from the WordPress server.

SIEM Query:

Example: source="wordpress_logs" AND (shortcode OR do_shortcode) AND status=200

📊 Metadata

CVE ID: CVE-2024-13346

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

EPSS Score: 35.44% exploit probability (96.9th percentile)

Published: February 13, 2025

Last Updated: February 24, 2025

🔗 References

https://avada.com/documentation/avada-changelog/ Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f2f390b-332b-452c-9fe7-ccd1a45390dd?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13346, you might also want to check these: