CVE-2024-13793 is a code injection vulnerability classified under CWE-94 found in the Wolmart | Multi-Vendor Marketplace WooCommerce Theme for WordPress, affecting all versions up to and including 1.8.11. The vulnerability arises because the theme improperly controls the generation and execution of code by failing to validate input before passing it to the WordPress function do_shortcode. This function processes shortcodes, which are snippets of code that WordPress executes to render dynamic content. Due to the lack of validation, an unauthenticated attacker can craft and submit arbitrary shortcodes that the theme will execute, effectively allowing remote code execution within the context of the WordPress site. This flaw does not require any authentication or user interaction, making it remotely exploitable over the network. The impact includes potential unauthorized disclosure of information (confidentiality), modification or defacement of site content (integrity), and disruption of site availability through malicious shortcode payloads. While no public exploits have been reported yet, the vulnerability's characteristics make it a critical concern for any site using this theme, especially given the widespread use of WooCommerce and WordPress in e-commerce. The CVSS v3.1 base score of 7.3 reflects a high severity rating, with attack vector network, low attack complexity, no privileges required, and no user interaction needed. The vulnerability was reserved in January 2025 and published in May 2025, with Wordfence as the assigner. No official patches have been linked yet, indicating the need for immediate attention from site administrators.

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress sites, which can lead to several serious consequences. Confidentiality may be compromised if attackers use shortcodes to access sensitive data or configuration details. Integrity is at risk because attackers can modify site content, inject malicious scripts, or deface the website. Availability could be impacted if attackers craft shortcodes that cause resource exhaustion or crash the site, leading to denial of service. For e-commerce sites using the Wolmart theme, this could result in financial loss, reputational damage, and loss of customer trust. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the likelihood of exploitation. Organizations worldwide that rely on this theme for their online marketplaces are at risk, especially those with limited security monitoring or delayed patch management processes. The absence of known exploits in the wild currently provides a window for proactive mitigation before widespread attacks occur.

1. Immediate action should be to update the Wolmart theme to a patched version once available from the vendor. Monitor official channels for patch releases. 2. In the absence of an official patch, disable or restrict the use of shortcodes in user inputs or untrusted contexts by implementing input validation and sanitization at the application or web server level. 3. Employ a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode patterns or payloads targeting the do_shortcode function. 4. Limit permissions and roles in WordPress to minimize exposure, ensuring that only trusted users can add or modify shortcodes or theme files. 5. Conduct regular security audits and monitoring of logs for unusual shortcode execution or unexpected site behavior. 6. Consider isolating the WordPress environment or using containerization to limit the impact of potential exploitation. 7. Educate site administrators about the risks of arbitrary shortcode execution and encourage prompt application of security updates. 8. Backup site data regularly to enable recovery in case of compromise. These measures, combined, provide a layered defense against exploitation until a vendor patch is applied.