Avada Theme < 7.11.14 – Unauthenticated Arbitrary Shortcode Execution | CVE 2024-13346 | Theme Vulnerabilities

Description

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Themes

Fixed in 7.11.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1f2f390b-332b-452c-9fe7-ccd1a45390dd

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

54e4f5f3-61fa-49e2-8c5b-f7c6a7a6d481

Timeline

Publicly Published

2025-02-12 (about 1 year ago)

Added

2025-02-12 (about 1 year ago)

Last Updated

2026-05-11 (about 1 day ago)

Other

Published

Title

Published

2025-08-14

Title

Dynamic Pricing With Discount Rules for WooCommerce < 4.5.10 - Authenticated (Shop Manager+) Arbitrary Code Execution

Published

2024-11-15

Title

Uix Slideshow < 1.6.6 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-09-24

Title

Special Text Boxes < 6.2.5 - Unauthenticated Arbitrary Shortcode Execution

Published

2014-08-01

Title

MailPoet Newsletters 2.6.6 - Theme File Upload H&ling Remote Code Execution

Published

2025-02-07

Title

WP All Export Pro < 1.9.2 - Unauthenticated Remote Code Execution via Custom Export Fields