CVE-2024-13836
Published: 11 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2024-13836 is a reflected cross-site scripting (XSS) vulnerability affecting the WP Login Control WordPress plugin in versions through 2.0.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring user interaction such as clicking a malicious link. It targets high-privilege users like administrators, allowing attackers to execute scripts in the victim's browser context upon successful XSS, potentially resulting in limited impacts to confidentiality, integrity, and availability, including session theft or unauthorized actions under the victim's privileges.
WPScan advisories detail the issue at https://wpscan.com/vulnerability/26c2026a-1490-4a0f-9d1d-54ee43c69f22/, recommending mitigation through updating the plugin beyond version 2.0.0 to address the sanitization flaw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and direct execution of malicious JavaScript in browser context via crafted links (T1059.007).