CVE-2024-13881
Published: 20 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2024-13881 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Link My Posts WordPress plugin through version 1.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling malicious script execution in a victim's browser. Published on 2025-03-20, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and potential scope change.
Attackers require no privileges (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L), though it demands user interaction (UI:R), such as clicking a crafted link. The vulnerability targets high-privilege users like administrators, allowing attackers to execute scripts in their context, potentially leading to session hijacking, data theft, or further site compromise with low impacts on confidentiality, integrity, and availability but elevated scope (S:C).
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/900fa2c6-0cac-4920-aef2-e8b94248b62e/. Security practitioners should review this reference for patching guidance and update the plugin beyond version 1.0 where possible.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in the victim's browser (T1059.007), facilitating session hijacking and further compromise.