CVE-2024-13633

CVE-2024-13633 is a reflected cross-site scripting (XSS) vulnerability in the Simple Catalogue WordPress plugin through version 1.0.2. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be reflected and executed in a victim's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation).

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by crafting a malicious URL with a reflected parameter and tricking a targeted high-privilege user, such as an admin, into interacting with it, typically via social engineering like phishing links (UI:R). Successful exploitation executes arbitrary JavaScript in the victim's context with changed scope (S:C), potentially enabling session hijacking, theft of sensitive data, or unauthorized actions on behalf of the victim, though impacts on confidentiality, integrity, and availability are rated low (C:I:A:L).

The WPScan advisory at https://wpscan.com/vulnerability/4291d5eb-c006-42b0-accf-90f09f26b6a0/ provides details on the vulnerability, including recommended mitigations such as updating to a patched version of the plugin beyond 1.0.2.