CVE-2024-13885

CVE-2024-13885 is a reflected cross-site scripting (XSS) vulnerability in the WP e-Customers Beta WordPress plugin through version 0.0.1. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a victim's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation).

Attackers can exploit this vulnerability remotely over the network without authentication by tricking a targeted user, such as a high-privilege administrator, into interacting with a maliciously crafted link or page. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially enabling session hijacking, data theft, or further compromise of the WordPress site, with low impacts on confidentiality, integrity, and availability but elevated scope due to cross-origin effects.

Security practitioners should consult the WPScan advisory at https://wpscan.com/vulnerability/b64d17d6-8416-476e-ad78-b7b9cb85b84f/ for detailed mitigation guidance, including any available patches or workarounds. The vulnerability was published on 2025-03-13.