CVE-2024-13797 in PressMart Plugin
Summary
by MITRE • 02/18/2025
The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/21/2025
The PressMart WordPress theme presents a critical security vulnerability classified as CVE-2024-13797, affecting all versions through 1.2.16. This flaw resides within the theme's handling of shortcode execution mechanisms, creating an avenue for unauthorized code injection that could compromise affected WordPress installations. The vulnerability specifically targets the theme's failure to implement proper input validation before executing do_shortcode actions, which represents a fundamental security oversight in the theme's code architecture.
This vulnerability operates through a path traversal and code execution pattern that aligns with CWE-74 and CWE-94, where user-supplied input is directly processed without adequate sanitization or validation. The flaw enables unauthenticated attackers to inject and execute arbitrary shortcodes through the theme's interface, bypassing standard WordPress security controls that typically protect against such malicious activities. The issue stems from the theme's improper handling of user-provided parameters that are subsequently passed to the do_shortcode function, which is a core WordPress mechanism designed to process shortcode tags within content.
The operational impact of this vulnerability extends beyond simple code execution, as it creates a persistent threat vector that can be exploited without requiring user authentication or administrative privileges. Attackers can leverage this flaw to inject malicious shortcodes that may perform various harmful actions including data exfiltration, defacement, or the installation of backdoors. The vulnerability's implications are particularly severe in WordPress environments where themes handle user-facing content processing, as the attack surface expands to include any functionality that processes shortcode parameters. This weakness can be exploited across multiple attack vectors including contact forms, customizer interfaces, or any theme-specific shortcode handling mechanisms.
Security professionals should consider this vulnerability in the context of the MITRE ATT&CK framework, particularly under the T1059.001 technique for command and script injection, and T1566 for spearphishing with a malicious attachment or link. The vulnerability's exploitation pattern aligns with attack chains that involve initial access through unauthenticated means followed by privilege escalation or persistent access establishment. Organizations should prioritize immediate patching of affected installations, as the vulnerability's exposure window remains open until the theme is updated to version 1.2.17 or later, which implements proper input validation for shortcode execution paths.
Recommended mitigations include implementing immediate theme updates to the patched version, deploying web application firewalls with rules specifically targeting shortcode injection patterns, and conducting comprehensive security audits of all active themes and plugins. Network monitoring should be enhanced to detect unusual shortcode execution patterns, while administrators should review and restrict shortcode capabilities within WordPress environments. The vulnerability serves as a reminder of the critical importance of proper input validation in theme and plugin development, emphasizing the need for adherence to secure coding practices that prevent injection flaws and maintain the integrity of WordPress content processing pipelines.