CVE-2024-13631

CVE-2024-13631 is a reflected cross-site scripting (XSS) vulnerability in the Om Stripe WordPress plugin through version 02.00.00. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. This issue is classified under CWE-79 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and potential scope change.

Attackers require no privileges (PR:N) and can exploit this over the network (AV:N) by tricking a targeted user, such as a site administrator, into interacting with a maliciously crafted link or page (UI:L). Successful exploitation executes arbitrary JavaScript in the victim's browser context with the high-privilege user's permissions, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking, data theft, or unauthorized actions within the WordPress admin interface.

The WPScan advisory at https://wpscan.com/vulnerability/c991fdd0-cb9d-43ea-bafa-df3b2e806013/ provides detailed analysis and recommends mitigation steps, including updating to a patched version of the plugin if available or disabling it until remediation. Security practitioners should review this reference for specific patch information and workarounds.