CVE-2024-13352

HighPublic PoC

Published: 07 February 2025

Published

07 February 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0284 86.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Security Summary

CVE-2024-13352 is a reflected cross-site scripting (XSS) vulnerability affecting the Legull WordPress plugin through version 1.2.2. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling malicious script injection. Published on 2025-02-07, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low attack complexity, though it requires user interaction such as clicking a malicious link. It targets high-privilege users like administrators, allowing arbitrary JavaScript execution in their browser context upon successful payload delivery. Potential outcomes include session hijacking, credential theft, or unauthorized actions under the victim's privileges, with low impacts to confidentiality, integrity, and availability but changed scope due to cross-origin effects.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/2c141cc0-f79e-42bd-97a6-98829647104c/.

Details

CWE(s): CWE-79

Affected Products

alwayscurious

legull

≤ 1.2.2

References

https://wpscan.com/vulnerability/2c141cc0-f79e-42bd-97a6-98829647104c/
Exploit, Third Party Advisory · contact@wpscan.com