CVE-2024-11638
Published: 10 March 2025
Summary
CVE-2024-11638 is a high-severity an unspecified weakness vulnerability in Gtbabel Gtbabel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-11638 affects the Gtbabel WordPress plugin in versions prior to 6.6.9. The vulnerability stems from the plugin's failure to validate that a URL submitted for code analysis belongs to the same blog, enabling unauthorized access to sensitive data. Specifically, when the plugin processes a URL for analysis, it includes cookies from the currently logged-in user in the request, exposing them if the URL is controlled by an attacker.
Unauthenticated attackers can exploit this issue over the network with low complexity, but it requires user interaction, such as tricking a logged-in user (e.g., an admin) into visiting a crafted URL. Successful exploitation allows the attacker to capture the victim's cookies, potentially leading to high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This could enable session hijacking or further compromise of the WordPress site.
Mitigation involves updating the Gtbabel plugin to version 6.6.9 or later, as indicated by the vulnerability's versioning details. Additional guidance is available in the WPScan advisory at https://wpscan.com/vulnerability/2f20336f-e12e-4b09-bcaf-45f7249f6495/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54135
Vulnerability details
The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open…
more
a crafted URL as the request made to analysed the URL contains such cookies.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables cookie capture by including logged-in user cookies in requests to attacker-controlled URLs when a victim visits a crafted link, mapping to stealing web session cookies.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the submitted URL to ensure it belongs to the same blog, directly preventing the exploitation through lack of origin validation.
Mandates timely flaw remediation by updating the Gtbabel plugin to version 6.6.9 or later, eliminating the vulnerability.
Enforces approved information flow policies to restrict requests containing sensitive user cookies to only authorized same-site URLs.