CVE-2024-13632

HighPublic PoC

Published: 26 February 2025

Published

26 February 2025

Modified

20 May 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 28.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Extra Fields WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Security Summary

CVE-2024-13632 is a reflected cross-site scripting (XSS) vulnerability affecting the WP Extra Fields WordPress plugin through version 1.0.1. The plugin does not sanitize and escape a parameter before outputting it back in the page, enabling malicious script execution in a user's browser.

The vulnerability can be exploited remotely by unauthenticated attackers with low attack complexity, though it requires user interaction such as clicking a malicious link. It targets high-privilege users like administrators and has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), resulting in low impacts to confidentiality, integrity, and availability within a changed security scope.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/85c5b465-afce-4c68-b5e3-214ec4b5c9f2/.

Details

CWE(s): CWE-79

Affected Products

sprintexperts

wp extra fields

≤ 1.0.1

References

https://wpscan.com/vulnerability/85c5b465-afce-4c68-b5e3-214ec4b5c9f2/
Exploit, Third Party Advisory · contact@wpscan.com