CVE-2024-13625

CVE-2024-13625 is a reflected cross-site scripting (XSS) vulnerability in the Tube Video Ads Lite WordPress plugin through version 1.5.7. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Cross-Site Scripting).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity by tricking a targeted high-privilege user, such as an administrator, into interacting with a maliciously crafted link or page (e.g., via phishing). Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially enabling session hijacking, theft of sensitive data, or further actions limited by the low confidentiality, integrity, and availability impacts, though the changed scope elevates the risk against privileged accounts.

The WPScan advisory at https://wpscan.com/vulnerability/6bfabf1d-86f2-4d29-bc55-d618d757dcc6/ provides detailed information on the vulnerability, including mitigation recommendations such as updating to a patched version of the plugin if available.