CVE-2024-10152
Published: 26 February 2025
Summary
CVE-2024-10152 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Elementengage Simple Certain Time To Show Content. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-10152 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Simple Certain Time to Show Content WordPress plugin versions before 1.3.1. The flaw arises because the plugin does not sanitize or escape a parameter before outputting it back on the page, enabling attackers to inject and execute malicious scripts in the browser of affected users.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and it changes the scope (S:C) to achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.1. An unauthenticated attacker can target high-privilege users, such as administrators, by tricking them into visiting a maliciously crafted link or page, leading to script execution in the victim's session context for potential session theft or further site compromise.
The WPScan advisory at https://wpscan.com/vulnerability/b4d17da2-4c47-4fd1-a6bd-6692b07cf710/ details the issue, with mitigation achieved by updating the plugin to version 1.3.1 or later to properly sanitize and escape the vulnerable parameter.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5303
Vulnerability details
The Simple Certain Time to Show Content WordPress plugin before 1.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such…
more
as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables remote exploitation of the app (T1190) and facilitates browser session hijacking or cookie theft via injected scripts (T1185/T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents reflected XSS by filtering output to block execution of injected malicious scripts in user browsers.
Ensures validation and sanitization of input parameters to mitigate injection of unsanitized data leading to XSS.
Addresses the vulnerability through timely flaw remediation, such as updating the plugin to version 1.3.1 for proper sanitization and escaping.