CVE-2024-13056
Published: 27 January 2025
Summary
CVE-2024-13056 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Phycticio Dyn Business Panel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13056 affects the Dyn Business Panel WordPress plugin through version 1.0.0. The vulnerability is a reflected cross-site scripting (XSS) issue arising from the plugin's failure to sanitize and escape a parameter before outputting it back in the page. Classified under CWE-79, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-27.
An attacker can exploit this vulnerability over the network with low complexity and no required privileges by crafting a malicious payload in the unsanitized parameter. Exploitation requires user interaction, typically tricking a high-privilege user such as an administrator into accessing a malicious link or page. Successful attacks enable reflected XSS against the victim, potentially allowing session hijacking or execution of arbitrary scripts in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability with a changed scope.
The WPScan advisories at https://wpscan.com/vulnerability/a6acb608-a23e-461d-af48-a6669a45594a/ provide additional details on the vulnerability, including identification and reporting information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51310
Vulnerability details
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of a web application vulnerability over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 mandates filtering of information outputs, directly addressing the failure to escape the unsanitized parameter before page output to prevent reflected XSS.
SI-10 requires validation of information inputs, mitigating the vulnerability by sanitizing the malicious parameter before processing in the WordPress plugin.
SI-2 ensures timely flaw remediation, such as patching the Dyn Business Panel plugin to version beyond 1.0.0, comprehensively eliminating the XSS vulnerability.