CVE-2024-13878

CVE-2024-13878 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the SpotBot WordPress plugin in versions through 0.1.8. The flaw arises because the plugin does not sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts in the browser of affected users. Published on 2025-03-20, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), rated as high severity due to its network accessibility and potential for scope change.

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by crafting a malicious payload in the unsanitized parameter and tricking a victim—particularly high-privilege users like administrators—into interacting with it via user interface action (UI:R), such as clicking a link. Successful exploitation executes JavaScript in the victim's browser context with changed scope (S:C), potentially leading to low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as stealing session cookies or performing actions on behalf of the victim.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/882b2022-4ed6-4d9e-8b35-f48ea1580884/. Security practitioners should consult this reference for patching instructions and workaround guidance specific to the SpotBot plugin.