CVE-2024-13624

CVE-2024-13624 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the WPMovieLibrary WordPress plugin in versions through 2.1.4.8. The flaw arises because the plugin does not sanitize and escape a parameter before outputting it back in the page, enabling malicious script injection. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Attackers can exploit this vulnerability remotely without authentication by crafting malicious links or payloads that reflect unsanitized input. Exploitation requires tricking a targeted user, particularly high-privilege accounts such as administrators, into interacting with the malicious content via their browser. Successful attacks can lead to script execution in the victim's context, potentially allowing limited impacts like session token theft, phishing, or unauthorized actions on behalf of the user.

The WPScan advisory at https://wpscan.com/vulnerability/c19b56cc-634f-420f-b6a0-9a10ad159049/ provides detailed information on the vulnerability, including exploitation vectors and recommended mitigations for affected WordPress installations.