CVE-2024-13055
Published: 27 January 2025
Summary
CVE-2024-13055 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Phycticio Dyn Business Panel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13055 is a reflected cross-site scripting (XSS) vulnerability, mapped to CWE-79, in the Dyn Business Panel WordPress plugin through version 1.0.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts in the context of the victim's browser. Published on 2025-01-27, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An attacker can exploit this remotely over the network with low attack complexity and no privileges required, though it relies on user interaction, such as an administrator clicking a crafted malicious link. The changed scope allows the payload to execute with the victim's privileges, potentially targeting high-privilege users like admins to achieve limited impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions within the browser context.
The WPScan advisory at https://wpscan.com/vulnerability/91178272-ed7e-412c-a187-e360a1313004/ provides details on the vulnerability, including affected versions through 1.0.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51309
Vulnerability details
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables remote script execution (T1190) via malicious links and JavaScript (T1059.007), facilitating session hijacking (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to escape output parameters, preventing malicious script execution in victims' browsers for this reflected XSS vulnerability.
Enforces sanitization and validation of unsanitized input parameters, blocking injection of malicious scripts in the Dyn Business Panel plugin.
Requires timely patching of the specific flaw in the WordPress plugin through version 1.0.0 to remediate the XSS vulnerability.