CVE-2024-13345
Avada Builder <= 3.11.13 - Unauthenticated Arbitrary Shortcode ExecutionThe Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
We have discovered 84,288 live websites that are affected by CVE-2024-13345.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 84,288 live websites (43% of Avada Builder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 42 versions ( 78% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Feb 13, 2025
- Updated - Apr 8, 2026
Credits
- Michael Mazzolini (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-13345 United States | 23,658 websites |
 Germany | 14,145 websites |
 Italy | 4,843 websites |
 GB | 4,416 websites |
 France | 4,142 websites |
 Netherlands | 3,548 websites |
 Spain | 3,120 websites |
 Canada | 2,010 websites |
 Australia | 1,744 websites |
 Switzerland | 1,692 websites |
Website Distribution by TLD
Number of websites using CVE-2024-13345| .com | 32,912 websites |
| .de | 9,866 websites |
| .org | 3,838 websites |
| .it | 3,392 websites |
| .nl | 3,319 websites |
| .co.uk | 2,804 websites |
| .fr | 1,719 websites |
| .com.au | 1,565 websites |
| .ch | 1,422 websites |
| .net | 1,400 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-13345
Top websites that are affected by CVE-2024-13345. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.**.za |  South Africa | *,*** | |
| ************.com |  Bulgaria | **,*** | |
| ************.com | Germany | **,*** | |
| ************.com | United States | **,*** | |
| **********.gr | Germany | **,*** | |
| ********.com |  Cyprus | **,*** | |
| ***********.com | United States | **,*** | |
| ********.nl |  Belgium | **,*** | |
| ******************.org | United States | **,*** | |
| ****.org | United States | **,*** |
FAQ
CVE-2024-13345 is Improper Control of Generation of Code ('Code Injection') in Avada Builder
A total of 84,288 websites have been identified as vulnerable to CVE-2024-13345, based on global website indexing conducted by WebTechSurvey.
The Avada Builder is affected by the CVE-2024-13345 vulnerability.
Avada Builder versions up to and including 3.11.13 are vulnerable to CVE-2024-13345.