Cyber Resilience

CVE-2024-13055

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0221 84.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13055 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Phycticio Dyn Business Panel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13055 is a reflected cross-site scripting (XSS) vulnerability, mapped to CWE-79, in the Dyn Business Panel WordPress plugin through version 1.0.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts in the context of the victim's browser. Published on 2025-01-27, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An attacker can exploit this remotely over the network with low attack complexity and no privileges required, though it relies on user interaction, such as an administrator clicking a crafted malicious link. The changed scope allows the payload to execute with the victim's privileges, potentially targeting high-privilege users like admins to achieve limited impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions within the browser context.

The WPScan advisory at https://wpscan.com/vulnerability/91178272-ed7e-412c-a187-e360a1313004/ provides details on the vulnerability, including affected versions through 1.0.0.

EU & UK References

Vulnerability details

The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables remote script execution (T1190) via malicious links and JavaScript (T1059.007), facilitating session hijacking (T1539).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13056Same product: Phycticio Dyn Business Panel
CVE-2024-13057Same product: Phycticio Dyn Business Panel
CVE-2025-23538Shared CWE-79
CVE-2026-27099Shared CWE-79
CVE-2025-12716Shared CWE-79
CVE-2026-34563Shared CWE-79
CVE-2025-68883Shared CWE-79
CVE-2024-13875Shared CWE-79
CVE-2026-24778Shared CWE-79
CVE-2025-64539Shared CWE-79

Affected Assets

phycticio
dyn business panel
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to escape output parameters, preventing malicious script execution in victims' browsers for this reflected XSS vulnerability.

prevent

Enforces sanitization and validation of unsanitized input parameters, blocking injection of malicious scripts in the Dyn Business Panel plugin.

prevent

Requires timely patching of the specific flaw in the WordPress plugin through version 1.0.0 to remediate the XSS vulnerability.

References