Posts

Read Before Continuing! There are two other blog posts relating to this one! Exploiting CVE-2024-13346: Shortcode Abuse, Data Leaks, and XSS in WordPress - This is the blog post I wrote for Hadrian about this! Other note: This blog isn’t linear in time, and these bugs were found over the course of 4 days, and many sleepless nights. Too Long, Didn’t Read: [Vuln Chain Overview] [Unauthenticated Shortcode Execution] The Avada theme allowed unauthenticated users to send arbitrary shortcodes to a REST endpoint—no auth required ↓ [Gravity Forms shortcode exposes hidden PII] These shortcodes loaded internal forms that leaked employee forms and privileged information.