CVE-2024-13793 Overview
CVE-2024-13793 is an arbitrary shortcode execution vulnerability affecting the Wolmart Multi-Vendor Marketplace WooCommerce theme for WordPress. The flaw exists in all versions up to and including 1.8.11. The theme exposes an action that invokes do_shortcode on user-supplied input without proper validation. Unauthenticated attackers can send crafted requests to execute arbitrary WordPress shortcodes registered on the target site. This vulnerability is classified under CWE-94: Improper Control of Generation of Code and carries a CVSS score of 7.3. The EPSS score is 1.316% at the 80th percentile, indicating elevated exploitation likelihood relative to other published CVEs.
Critical Impact
Unauthenticated remote attackers can execute arbitrary shortcodes on affected Wolmart-powered WordPress sites, enabling content injection, data disclosure, and abuse of any privileged shortcode registered on the site.
Affected Products
- D-themes Wolmart Multi-Vendor Marketplace WooCommerce Theme versions up to and including 1.8.11
- WordPress sites running the Wolmart theme with default configuration
- WooCommerce marketplaces deployed on the Wolmart theme codebase
Discovery Timeline
- 2025-05-08 - CVE-2024-13793 published to NVD
- 2025-06-04 - Last updated in NVD database
Technical Details for CVE-2024-13793
Vulnerability Analysis
The Wolmart theme registers an AJAX-style action that accepts attacker-controlled input and passes it to the WordPress do_shortcode() function. WordPress shortcodes are server-side macros that themes and plugins register to render dynamic content. When do_shortcode() runs on untrusted input, it evaluates any registered shortcode the attacker references, including shortcodes that read post data, query users, or perform privileged operations.
The affected handler does not authenticate the requester and does not restrict which shortcodes can be invoked. Any client with network access to the WordPress site can trigger the action. The impact depends on which shortcodes are registered by other installed plugins, but commonly exposes content rendering, user enumeration, file inclusion, and form submission abuse.
Root Cause
The root cause is improper input validation prior to dynamic code evaluation [CWE-94]. The theme treats a request parameter as a trusted shortcode template and passes it directly to do_shortcode() without an allowlist of permitted shortcodes, nonce verification, or capability checks.
Attack Vector
Exploitation requires only network access to the target site. No authentication, user interaction, or elevated privileges are needed. An attacker sends an HTTP request to the vulnerable action endpoint exposed by the Wolmart theme, supplying a shortcode string such as [shortcode_name attr="value"] in the relevant parameter. The server processes the shortcode and returns the rendered output.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-13793
Indicators of Compromise
- Unexpected POST or GET requests to admin-ajax.php or theme-specific endpoints containing shortcode syntax such as [ and ] in request parameters
- Unauthenticated requests originating from a single IP address that enumerate multiple shortcode names
- Anomalous outbound rendering of content blocks, user data, or form responses without an authenticated session
Detection Strategies
- Inspect web server access logs for request bodies containing URL-encoded shortcode markers like %5B and %5D paired with Wolmart action parameters
- Deploy WordPress audit logging to capture invocations of do_shortcode() from theme code paths
- Apply web application firewall rules that flag unauthenticated requests carrying shortcode payloads to theme endpoints
Monitoring Recommendations
- Monitor for spikes in 200-status responses to Wolmart AJAX actions from non-browser user agents
- Alert on requests that include shortcode names tied to sensitive plugins such as forms, file managers, or membership systems
- Correlate request patterns with WordPress error logs to identify shortcode rendering failures that indicate probing
How to Mitigate CVE-2024-13793
Immediate Actions Required
- Update the Wolmart theme to a version released after 1.8.11 that addresses the issue per the ThemeForest Item Changelog
- Audit installed plugins for shortcodes that expose sensitive data or perform state-changing operations and remove or restrict them
- Block unauthenticated access to theme AJAX endpoints at the web application firewall until patching is complete
Patch Information
The vendor d-themes has published updates through ThemeForest. Site administrators must download the latest Wolmart release from their ThemeForest account and apply it through the WordPress admin interface or via SFTP. Verify the installed version under Appearance > Themes after upgrade. Consult the Wordfence Vulnerability Report for the fixed version reference.
Workarounds
- Use a web application firewall rule that rejects requests to Wolmart action endpoints containing [ or %5B from unauthenticated sessions
- Disable the vulnerable AJAX action by adding a remove_action() call in a mu-plugin until the theme is patched
- Restrict access to admin-ajax.php by IP allowlist where feasible for administrative environments
# Example WAF rule (ModSecurity) to block shortcode payloads in Wolmart requests
SecRule REQUEST_URI "@contains admin-ajax.php" \
"chain,id:1013793,phase:2,deny,status:403,msg:'CVE-2024-13793 Wolmart shortcode injection'"
SecRule ARGS "@rx \[[a-z_\-]+(\s|\])" "t:lowercase,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
