CVE-2024-13055
Published: 27 January 2025
Description
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Security Summary
CVE-2024-13055 is a reflected cross-site scripting (XSS) vulnerability, mapped to CWE-79, in the Dyn Business Panel WordPress plugin through version 1.0.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts in the context of the victim's browser. Published on 2025-01-27, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An attacker can exploit this remotely over the network with low attack complexity and no privileges required, though it relies on user interaction, such as an administrator clicking a crafted malicious link. The changed scope allows the payload to execute with the victim's privileges, potentially targeting high-privilege users like admins to achieve limited impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions within the browser context.
The WPScan advisory at https://wpscan.com/vulnerability/91178272-ed7e-412c-a187-e360a1313004/ provides details on the vulnerability, including affected versions through 1.0.0.
Details
- CWE(s)