CVE-2024-13738

Vulnerability

Overview

The Motors - Car Dealer, Rental & Listing WordPress theme (versions up to and including 5.6.65) contains a vulnerability that permits arbitrary shortcode execution. The root cause is insufficient validation of user-supplied input before it is passed to the do_shortcode function. This allows an attacker to inject and execute any WordPress shortcode without authentication [1].

Exploitation

An unauthenticated attacker can exploit this flaw by sending a crafted request that triggers an action within the theme. No special privileges or network access beyond standard HTTP requests are required. The vulnerability lies in the theme's handling of a specific action that fails to sanitize or validate the value before invoking do_shortcode.

Impact

Successful exploitation enables the attacker to execute arbitrary shortcodes. Depending on the available shortcodes in the WordPress installation, this could lead to content injection, data disclosure (e.g., reading private posts or user metadata), or even remote code execution if shortcodes that invoke PHP functions (such as those from other plugins) are present. The severity is rated High with a CVSS v3 score of 7.3.

Mitigation

The vendor has addressed the issue in a subsequent release, though the exact patched version is not clearly documented in the changelog. Users are strongly advised to update the Motors theme to the latest available version to mitigate the risk. No official workaround has been provided.