CVE-2024-13626

CVE-2024-13626 is a reflected cross-site scripting (XSS) vulnerability in the VR-Frases (collect & share quotes) WordPress plugin through version 3.0.1. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. It is classified under CWE-79 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and potential scope change.

An unauthenticated attacker (PR:N) can exploit this vulnerability by crafting a malicious URL containing a script payload in the vulnerable parameter and tricking a target user, such as a site administrator, into interacting with it (UI:R), for example by clicking a phishing link or visiting a malicious page. Upon execution in the victim's browser (S:C), the XSS payload can lead to low-level impacts including limited confidentiality, integrity, and availability effects, such as session token theft, defacement, or unauthorized actions performed with the victim's privileges.

The WPScan advisory at https://wpscan.com/vulnerability/511c6e7a-087f-41ef-9009-2525f332f8c6/ details the vulnerability, including affected versions through 3.0.1. Security practitioners should check for plugin updates beyond 3.0.1 to mitigate the issue, as the description indicates remediation in later releases.