CVE-2024-13057
Published: 27 January 2025
Description
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
Security Summary
CVE-2024-13057 affects the Dyn Business Panel WordPress plugin through version 1.0.0. The vulnerability stems from missing Cross-Site Request Forgery (CSRF) checks in certain areas, combined with inadequate input sanitization and output escaping. This flaw, classified under CWE-352, enables attackers to inject Stored Cross-Site Scripting (XSS) payloads. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability by crafting malicious web pages or links that, when visited by a logged-in administrator, trigger CSRF requests to the vulnerable plugin endpoints. This tricks the admin into unknowingly adding Stored XSS payloads to the site, which can then execute arbitrary JavaScript in the context of other users, including admins, potentially leading to session hijacking, data theft, or further site compromise.
Advisories detailing the issue are available from WPScan at https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/. The vulnerability was published on 2025-01-27.
Details
- CWE(s)