CVE-2024-13330

HighPublic PoC

Published: 04 February 2025

Published

04 February 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0177 82.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Security Summary

CVE-2024-13330 is a reflected cross-site scripting (XSS) vulnerability affecting the JustRows free WordPress plugin through version 0.2. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute arbitrary scripts in the context of a victim's browser. This issue is classified under CWE-79 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) who trick targeted users, particularly high-privilege ones such as administrators, into interacting with a malicious link or page (UI:R). Upon successful exploitation, the reflected XSS payload executes within the victim's browser session, potentially allowing limited impacts such as low-level confidentiality, integrity, and availability violations in a changed security scope (S:C).

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/.

Details

CWE(s): CWE-79

Affected Products

canaveralstudio

justrows free

≤ 0.2

References

https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/
Exploit, Third Party Advisory · contact@wpscan.com
https://wpscan.com/vulnerability/b0360650-8c7a-4e17-8618-b5ef1c71ccbf/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0