CVE-2024-13574

CVE-2024-13574 is a reflected cross-site scripting (XSS) vulnerability in the XV Random Quotes WordPress plugin through version 1.40. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a victim's browser. This issue is classified under CWE-79 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Attackers can exploit this vulnerability remotely without privileges by tricking a targeted user, such as an administrator, into interacting with a maliciously crafted link or page. Successful exploitation executes arbitrary JavaScript in the context of the victim's browser, potentially enabling session hijacking, theft of sensitive data, or further actions limited by the low confidentiality, integrity, and availability impacts. The requirement for user interaction makes it suitable for phishing campaigns aimed at high-privilege WordPress users.

Advisories from WPScan detail the vulnerability at https://wpscan.com/vulnerability/7eb9ef20-5d34-425e-b7fc-38a769d0a822/, where security practitioners should consult for specific detection, patch availability, and mitigation guidance, such as updating to a fixed version beyond 1.40 or implementing input validation.