CVE-2024-13345 is a code injection vulnerability classified under CWE-94 affecting the Avada (Fusion) Builder plugin for WordPress, versions up to and including 3.11.13. The vulnerability arises because the plugin improperly controls the generation of code by failing to validate inputs before passing them to the WordPress do_shortcode function. This function executes shortcodes, which can embed dynamic content or code within WordPress posts or pages. Due to the lack of validation, unauthenticated attackers can craft requests that execute arbitrary shortcodes, potentially injecting malicious code or commands. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 3.1 score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability, albeit limited in scope. While no public exploits have been reported yet, the widespread use of Avada Builder in WordPress sites makes this a critical issue to address. The vulnerability could be leveraged to execute malicious payloads, deface websites, steal sensitive data, or disrupt site availability. The absence of official patches at the time of reporting necessitates immediate mitigation steps by administrators.

The vulnerability allows unauthenticated remote attackers to execute arbitrary shortcodes, which can lead to multiple impacts including partial disclosure of sensitive information (confidentiality), unauthorized modification of site content or behavior (integrity), and potential denial of service or site disruption (availability). Given the popularity of the Avada Builder plugin among WordPress sites globally, exploitation could lead to widespread website defacements, data leakage, or malware distribution. Organizations relying on Avada Builder for their web presence risk reputational damage, loss of customer trust, and potential regulatory consequences if sensitive data is exposed. The ease of exploitation and lack of required privileges make this vulnerability particularly dangerous for public-facing websites. Although no known exploits are currently active, the vulnerability's characteristics make it a likely target for attackers seeking to compromise WordPress sites at scale.

1. Immediately update the Avada (Fusion) Builder plugin to a patched version once available from the vendor. 2. Until a patch is released, disable or restrict access to the Avada Builder plugin, especially on public-facing sites. 3. Implement web application firewall (WAF) rules to detect and block suspicious shortcode execution attempts or unusual POST/GET requests targeting the plugin. 4. Restrict shortcode usage to trusted users only and audit shortcode inputs for suspicious content. 5. Harden WordPress installations by limiting plugin permissions and isolating critical components. 6. Monitor web server and application logs for anomalous shortcode execution or unauthorized access patterns. 7. Educate site administrators about the risks of arbitrary shortcode execution and enforce strict input validation policies. 8. Consider deploying runtime application self-protection (RASP) tools that can detect and block code injection attempts in real time. These measures combined will reduce the attack surface and mitigate exploitation risk until official patches are applied.