CVE-2024-13056
Published: 27 January 2025
Description
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Security Summary
CVE-2024-13056 affects the Dyn Business Panel WordPress plugin through version 1.0.0. The vulnerability is a reflected cross-site scripting (XSS) issue arising from the plugin's failure to sanitize and escape a parameter before outputting it back in the page. Classified under CWE-79, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-27.
An attacker can exploit this vulnerability over the network with low complexity and no required privileges by crafting a malicious payload in the unsanitized parameter. Exploitation requires user interaction, typically tricking a high-privilege user such as an administrator into accessing a malicious link or page. Successful attacks enable reflected XSS against the victim, potentially allowing session hijacking or execution of arbitrary scripts in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability with a changed scope.
The WPScan advisories at https://wpscan.com/vulnerability/a6acb608-a23e-461d-af48-a6669a45594a/ provide additional details on the vulnerability, including identification and reporting information.
Details
- CWE(s)