Cyber Resilience

CVE-2024-11638

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0051 67.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11638 is a high-severity an unspecified weakness vulnerability in Gtbabel Gtbabel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11638 affects the Gtbabel WordPress plugin in versions prior to 6.6.9. The vulnerability stems from the plugin's failure to validate that a URL submitted for code analysis belongs to the same blog, enabling unauthorized access to sensitive data. Specifically, when the plugin processes a URL for analysis, it includes cookies from the currently logged-in user in the request, exposing them if the URL is controlled by an attacker.

Unauthenticated attackers can exploit this issue over the network with low complexity, but it requires user interaction, such as tricking a logged-in user (e.g., an admin) into visiting a crafted URL. Successful exploitation allows the attacker to capture the victim's cookies, potentially leading to high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This could enable session hijacking or further compromise of the WordPress site.

Mitigation involves updating the Gtbabel plugin to version 6.6.9 or later, as indicated by the vulnerability's versioning details. Additional guidance is available in the WPScan advisory at https://wpscan.com/vulnerability/2f20336f-e12e-4b09-bcaf-45f7249f6495/.

EU & UK References

Vulnerability details

The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open…

more

a crafted URL as the request made to analysed the URL contains such cookies.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

The vulnerability directly enables cookie capture by including logged-in user cookies in requests to attacker-controlled URLs when a victim visits a crafted link, mapping to stealing web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

gtbabel
gtbabel
≤ 6.6.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the submitted URL to ensure it belongs to the same blog, directly preventing the exploitation through lack of origin validation.

prevent

Mandates timely flaw remediation by updating the Gtbabel plugin to version 6.6.9 or later, eliminating the vulnerability.

prevent

Enforces approved information flow policies to restrict requests containing sensitive user cookies to only authorized same-site URLs.

References