The PressMart WordPress theme suffers from a code injection vulnerability (CWE-94) because it does not properly validate input before executing shortcodes via do_shortcode. This allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized code execution within the WordPress environment. The vulnerability affects all versions up to 1.2.16 and has a CVSS 3.1 score of 7.3 (high severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.

Successful exploitation allows unauthenticated attackers to execute arbitrary shortcodes, which may lead to partial compromise of the WordPress site’s confidentiality, integrity, and availability. The CVSS score of 7.3 reflects a high-severity risk, but no known exploits are currently reported in the wild.

No official patch or vendor advisory is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should consider disabling or restricting shortcode execution where possible or applying temporary mitigations consistent with WordPress security best practices specific to shortcode usage.