CVE-2024-13094

CVE-2024-13094 is a reflected cross-site scripting (XSS) vulnerability in the WP Triggers Lite WordPress plugin through version 2.5.3. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Cross-Site Scripting).

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by tricking a targeted high-privilege user, such as an admin, into interacting with a maliciously crafted link or page (UI:R). Successful exploitation changes the scope (S:C) and enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing the attacker to steal session cookies, impersonate the admin, or perform other actions in the victim's browser context.

The WPScan advisories at https://wpscan.com/vulnerability/7a75809e-824e-458e-bd01-50dadcea7713/ provide detailed information on the vulnerability, including technical analysis for mitigation strategies such as updating the plugin beyond version 2.5.3 if a patched release is available. Security practitioners should review the full report for reproduction steps and remediation guidance.