CVE-2024-13509
Published: 28 January 2025
Description
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
Security Summary
CVE-2024-13509 is a stored cross-site scripting (XSS) vulnerability affecting the WS Form LITE and PRO plugins for WordPress in all versions up to and including 1.10.13. The flaw stems from insufficient input sanitization and output escaping of the url parameter, allowing arbitrary web scripts to be injected into pages. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts via the url parameter, attackers can have those scripts execute in users' browsers whenever the affected pages are accessed, potentially leading to session hijacking, data theft, or further compromise within the victim's browser context due to the changed scope.
Advisories indicate the vulnerability is partially fixed in version 1.10.13 and completely addressed in version 1.10.14. Relevant references include WordPress plugin trac changesets 3225862 and 3226595, the WS Form changelog at wsform.com, and Wordfence threat intelligence detailing the issue. Security practitioners should urge WordPress site administrators using affected WS Form plugins to update immediately to mitigate risks.
Details
- CWE(s)