CVE-2024-13738 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes in the Motors WordPress theme. Attackers can potentially inject malicious code or access restricted functionality. All WordPress sites using Motors theme versions up to 5.6.65 are affected.

💻 Affected Systems

Products:

Motors - Car Dealer, Rental & Listing WordPress theme

Versions: All versions up to and including 5.6.65

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable theme versions

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, or malware injection

🟠

Likely Case

Content injection, privilege escalation, or unauthorized access to restricted functionality

🟢

If Mitigated

Limited impact if shortcode execution is restricted by other security controls

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires no authentication and shortcode execution is straightforward

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 5.6.65

Vendor Advisory: https://stylemixthemes.com/motors/

Restart Required: No

Instructions:

1. Update Motors theme to latest version via WordPress admin panel
2. Verify theme version is greater than 5.6.65
3. Clear any caching plugins or CDN caches

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block access to the vulnerable action endpoint via .htaccess or web server config

# Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php.*action=stm_ajax_add_review - [F]

🧯 If You Can't Patch

Temporarily disable or switch to default WordPress theme
Implement web application firewall rules to block suspicious shortcode execution attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Motors theme version ≤5.6.65

Check Version:

wp theme list --field=name,version --path=/path/to/wordpress

Verify Fix Applied:

Confirm theme version >5.6.65 and test shortcode execution functionality

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to admin-ajax.php with stm_ajax_add_review action
Multiple shortcode execution attempts in WordPress debug logs

Network Indicators:

HTTP POST requests containing shortcode payloads to /wp-admin/admin-ajax.php

SIEM Query:

source="wordpress.log" AND "stm_ajax_add_review" AND "do_shortcode"

📊 Metadata

CVE ID: CVE-2024-13738

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

EPSS Score: 0.8% exploit probability (73.6th percentile)

Published: May 3, 2025

Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13738, you might also want to check these: