CVE-2024-13453 Overview
CVE-2024-13453 affects the Contact Form & SMTP Plugin for WordPress by PirateForms, also known as pirate-forms. The plugin contains an arbitrary shortcode execution flaw in all versions up to and including 2.6.0. The vulnerable code path invokes do_shortcode on user-supplied input without proper validation. Unauthenticated attackers can send crafted requests over the network to execute arbitrary WordPress shortcodes. The weakness is classified under CWE-94 (Improper Control of Generation of Code).
Critical Impact
Unauthenticated remote attackers can execute arbitrary shortcodes registered on the WordPress site, potentially exposing data or abusing functionality exposed through third-party shortcode handlers.
Affected Products
- Contact Form & SMTP Plugin for WordPress by PirateForms
- Plugin slug: pirate-forms
- All versions up to and including 2.6.0
Discovery Timeline
- 2025-01-30 - CVE-2024-13453 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-13453
Vulnerability Analysis
The PirateForms plugin exposes an action handler that accepts user-controlled input and passes it to the WordPress do_shortcode function. The handler does not validate or sanitize the value before invocation. Because the affected action is reachable without authentication, any remote visitor can trigger shortcode execution. The vulnerable logic resides in the Gutenberg integration component at gutenberg/class-pirateforms-gutenberg.php. Attackers can leverage any shortcode registered on the target site, including shortcodes provided by other installed plugins. The impact depends on which shortcodes are available, ranging from information disclosure to abuse of administrative functionality embedded behind shortcode handlers. The EPSS probability is 0.464%.
Root Cause
The root cause is unsafe execution of do_shortcode on attacker-controlled input. The plugin trusts the value submitted to the action endpoint and renders it through the WordPress shortcode parser. No nonce check, capability check, or input allowlist restricts which shortcodes can be executed. This pattern matches CWE-94, Improper Control of Generation of Code.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker issues an HTTP request to the vulnerable PirateForms action endpoint with a payload containing one or more WordPress shortcodes. The plugin parses the payload through do_shortcode, expanding any registered shortcode tags. The exploit complexity is low and does not require prior reconnaissance beyond confirming the plugin is installed.
No verified public proof-of-concept code is currently published. Refer to the WordPress Plugin Code Snippet and the Wordfence Vulnerability Report for technical details on the vulnerable code path.
Detection Methods for CVE-2024-13453
Indicators of Compromise
- HTTP POST or GET requests to admin-ajax.php or PirateForms REST endpoints containing raw shortcode syntax such as [shortcode_name ...] in unexpected parameter fields.
- Unauthenticated requests targeting PirateForms Gutenberg action handlers from external IP addresses.
- WordPress error or debug log entries showing shortcode expansion triggered outside of editor or page-render contexts.
Detection Strategies
- Inspect web server access logs for requests referencing PirateForms actions that include URL-encoded %5B and %5D bracket sequences indicating embedded shortcodes.
- Deploy a Web Application Firewall (WAF) rule that blocks shortcode patterns submitted to PirateForms endpoints by unauthenticated clients.
- Correlate plugin version inventory across managed WordPress hosts to identify installations running pirate-forms ≤ 2.6.0.
Monitoring Recommendations
- Alert on anomalous calls to do_shortcode originating from form submission endpoints.
- Monitor outbound HTTP traffic from the WordPress host for requests that could indicate shortcode-driven server-side request abuse.
- Track new file writes or option-table changes following suspicious PirateForms requests to identify follow-on activity.
How to Mitigate CVE-2024-13453
Immediate Actions Required
- Update the Contact Form & SMTP Plugin for WordPress by PirateForms to a version newer than 2.6.0 as soon as the maintainer publishes a fixed release.
- Audit installed WordPress plugins for shortcodes that perform sensitive actions and disable any that are not required.
- Restrict access to admin-ajax.php and plugin REST endpoints at the WAF or reverse proxy layer for unauthenticated visitors where feasible.
Patch Information
The maintainer addressed the issue in a code change tracked in the WordPress Plugin Changeset. Administrators should upgrade past 2.6.0 to the fixed release referenced by the changeset and confirm the patched files are deployed.
Workarounds
- Deactivate and remove the pirate-forms plugin until a patched version is installed.
- Add a WAF signature that blocks requests containing shortcode brackets in PirateForms action parameters.
- Remove or disable third-party plugins that register high-impact shortcodes to reduce the blast radius of shortcode injection.
# Example: identify vulnerable PirateForms installations using WP-CLI
wp plugin list --name=pirate-forms --fields=name,status,version
# Deactivate the plugin until patched
wp plugin deactivate pirate-forms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
