CVE-2024-13875
Published: 20 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2024-13875 is a reflected cross-site scripting (XSS) vulnerability affecting the WP-PManager WordPress plugin through version 1.2. The plugin fails to sanitize and escape a user-supplied parameter before outputting it back in the page, enabling attackers to inject and execute malicious JavaScript code in the context of the affected page. This issue is classified under CWE-79 (Cross-Site Scripting) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely by any unauthenticated attacker with low attack complexity, though it requires user interaction such as clicking a malicious link. It targets high-privilege users like administrators, allowing the injected script to execute in their browser session upon interaction with the crafted payload. Successful exploitation could enable actions such as stealing session cookies, keystroke logging, or performing unauthorized operations on behalf of the victim.
Advisories, including the WPScan report at https://wpscan.com/vulnerability/82c54fb5-f1d9-4bae-a3de-d4335809b81c/, provide further details on detection and remediation for this vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables remote exploitation (T1190) to execute arbitrary JavaScript (T1059.007) in admin browser sessions, directly facilitating web session cookie theft (T1539).