CVE-2024-13690
Published: 25 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2024-13690 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the WP Church Donation plugin for WordPress. It affects all versions up to and including 1.7 due to insufficient input sanitization and output escaping in several donation form submission parameters. This flaw enables the injection of arbitrary web scripts into pages, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit the vulnerability remotely with low complexity, no required privileges, and no user interaction. By submitting malicious payloads through the donation form parameters, attackers store scripts on affected pages. These scripts execute in users' browsers whenever the injected pages are accessed, potentially compromising session data or performing actions on behalf of victims within the site's scope.
Advisories and references, including the Wordfence threat intelligence report and the plugin's WordPress.org page, provide details on the vulnerability. Source code from version 1.7 in files such as church-donation-form-display.php and church-donation-listings.php highlights the unsanitized parameters responsible for the issue. Security practitioners should review these resources for recommended mitigations, such as updating the plugin if patches are available beyond version 1.7.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin enables T1190 (exploiting public-facing app via form injection), T1059.007 (arbitrary JavaScript execution in browser), and T1185 (session hijacking to compromise data).