CVE-2024-13571

HighPublic PoC

Published: 26 February 2025

Published

26 February 2025

Modified

15 May 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0008 23.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Security Summary

CVE-2024-13571 is a reflected cross-site scripting (XSS) vulnerability in the Post Timeline WordPress plugin versions before 2.3.10. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by crafting malicious payloads in a parameter that reflects unsanitized in the page. Exploitation requires user interaction, such as an administrator clicking a malicious link, allowing JavaScript execution in the victim's browser context with changed scope and low impacts on confidentiality, integrity, and availability.

The WPScan advisory at https://wpscan.com/vulnerability/ad6ad44d-fdc3-494c-a371-5d7959d1fd23/ details the issue, with mitigation achieved by updating the Post Timeline plugin to version 2.3.10 or later.

Details

CWE(s): CWE-79

Affected Products

agilelogix

post timeline

≤ 2.3.10

References

https://wpscan.com/vulnerability/ad6ad44d-fdc3-494c-a371-5d7959d1fd23/
Exploit, Third Party Advisory · contact@wpscan.com