CVE-2024-13884
Published: 13 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2024-13884 is a reflected cross-site scripting (XSS) vulnerability affecting the Limit Bio WordPress plugin through version 1.0. The flaw arises because the plugin does not sanitize and escape a parameter before outputting it back in the page, enabling CWE-79: Improper Neutralization of Input During Web Page Generation. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.
Unauthenticated attackers (PR:N) can exploit this over the network with low attack complexity, though it requires user interaction (UI:R). By crafting a malicious payload in the vulnerable parameter and tricking a high-privilege user, such as an admin, into accessing a malicious link or page, the attacker can execute arbitrary JavaScript in the victim's browser context. This may result in low-level impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions performed as the targeted user.
The WPScan advisory at https://wpscan.com/vulnerability/759a60ac-c890-4961-91e4-53db5096eb3c/ provides additional details on the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables network exploitation (T1190) and arbitrary JS execution leading to browser session hijacking (T1185).