CVE-2024-13668

CVE-2024-13668 is a reflected cross-site scripting (XSS) vulnerability affecting the WordPress Activity O Meter plugin through version 1.0. The plugin fails to sanitize and escape a user-supplied parameter before outputting it back in the page, enabling attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser. This issue is classified under CWE-79 (Cross-Site Scripting) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L), though it requires user interaction such as clicking a malicious link (UI:R). It targets high-privilege users like site administrators, allowing attackers to execute scripts in their session context with a changed scope (S:C), potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/a7bfc094-b235-419d-882d-96b439651f65/, published on 2025-03-07. Security practitioners should review it for patch information or workarounds specific to the plugin.