CVE-2024-13738: CWE-94 Improper Control of Generation of Code ('Code Injection') in StylemixThemes Motors - Car Dealer, Rental & Listing WordPress theme
The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. *It is unclear exactly which version the issue was patched in from the changelog. Therefore, we used the latest version at the time of verification.
AI Analysis
Technical Summary
The Motors WordPress theme by StylemixThemes contains a code injection vulnerability (CWE-94) that permits arbitrary shortcode execution without proper validation. This flaw exists in all versions up to 5.6.65 and allows unauthenticated attackers to run arbitrary shortcodes via the do_shortcode function. The vulnerability has a CVSS v3.1 base score of 7.3, indicating high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The exact version where the issue is fixed is not specified in the changelog, and no patch links or vendor advisories are currently available.
Potential Impact
Successful exploitation enables unauthenticated attackers to execute arbitrary shortcodes, potentially leading to limited confidentiality, integrity, and availability impacts on affected WordPress sites using the vulnerable theme. This could allow attackers to run unauthorized code within the WordPress environment, impacting site behavior and data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is identified and applied, consider restricting access to the affected theme or disabling shortcode execution features if feasible. Monitor StylemixThemes communications for updates regarding patches or official mitigations.
CVE-2024-13738: CWE-94 Improper Control of Generation of Code ('Code Injection') in StylemixThemes Motors - Car Dealer, Rental & Listing WordPress theme
Description
The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. *It is unclear exactly which version the issue was patched in from the changelog. Therefore, we used the latest version at the time of verification.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Motors WordPress theme by StylemixThemes contains a code injection vulnerability (CWE-94) that permits arbitrary shortcode execution without proper validation. This flaw exists in all versions up to 5.6.65 and allows unauthenticated attackers to run arbitrary shortcodes via the do_shortcode function. The vulnerability has a CVSS v3.1 base score of 7.3, indicating high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The exact version where the issue is fixed is not specified in the changelog, and no patch links or vendor advisories are currently available.
Potential Impact
Successful exploitation enables unauthenticated attackers to execute arbitrary shortcodes, potentially leading to limited confidentiality, integrity, and availability impacts on affected WordPress sites using the vulnerable theme. This could allow attackers to run unauthorized code within the WordPress environment, impacting site behavior and data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is identified and applied, consider restricting access to the affected theme or disabling shortcode execution features if feasible. Monitor StylemixThemes communications for updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-26T19:03:03.326Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981cc4522896dcbda745
Added to database: 5/21/2025, 9:08:44 AM
Last enriched: 4/9/2026, 1:19:15 PM
Last updated: 5/8/2026, 10:29:57 PM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.