CVE-2024-13346

HIGH

WordPress Avada <= 7.11.13 - Unauthenticated Shortcode Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-13346. PoCs published by tausifzaman.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-13346, targeting the Avada Theme < 7.11.14. The exploit leverages unauthenticated arbitrary shortcode execution to create admin users and establish reverse shells, with WAF bypass techniques.

Description

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Exploits (1)

nomisec WORKING POC
by tausifzaman · poc
https://github.com/tausifzaman/CVE-2024-13346

This repository contains a functional exploit for CVE-2024-13346, targeting the Avada Theme < 7.11.14. The exploit leverages unauthenticated arbitrary shortcode execution to create admin users and establish reverse shells, with WAF bypass techniques.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Avada Theme < 7.11.14
No auth needed
Prerequisites: Target URL · Attacker IP and Port for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.3
EPSS 0.0210
EPSS Percentile 79.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-94
Status published
Products (2)
theme-fusion/avada < 7.11.14
ThemeFusion/Avada | Website Builder For WordPress & WooCommerce < 7.11.13
Published Feb 13, 2025
Tracked Since Feb 18, 2026