CVE-2024-13876
Published: 20 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2024-13876 is a reflected cross-site scripting (XSS) vulnerability affecting the mEintopf WordPress plugin through version 0.2.1. The flaw arises because the plugin fails to sanitize and escape a user-supplied parameter before outputting it back in the page, enabling attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no required privileges, and user interaction such as clicking a malicious link. Attackers can target high-privilege users, including administrators, to execute scripts that achieve low impacts on confidentiality, integrity, and availability with a changed scope, potentially leading to session theft, defacement, or other client-side attacks within the authenticated user's session.
The WPScan advisory at https://wpscan.com/vulnerability/d80cd18a-065f-443b-b548-d780b785d68e/ documents the issue and provides further technical details for practitioners.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables web app exploitation (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).