CVE-2024-13863
Published: 25 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2024-13863 is a reflected cross-site scripting (XSS) vulnerability in the Stylish Google Sheet Reader WordPress plugin version 4.0 and prior to 4.1. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a victim's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Cross-Site Scripting).
An unauthenticated attacker over the network can exploit this vulnerability with low complexity by crafting a malicious URL or payload that includes the unsanitized parameter. The attack requires user interaction, such as an administrator clicking a link or visiting a malicious page, after which the payload executes in the context of the high-privilege user's browser session. This could enable the attacker to steal session cookies, perform actions on behalf of the victim, or conduct further attacks within the WordPress site.
Mitigation involves updating the Stylish Google Sheet Reader plugin to version 4.1 or later, which addresses the sanitization issue. Additional details are available in the WPScan advisory at https://wpscan.com/vulnerability/a6161595-0934-4baa-9da6-73792f4b87fd/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in the victim's browser (T1059.007), facilitating session cookie theft and actions on behalf of the user.