Cyber Resilience

CVE-2024-13056

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 29.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13056 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Phycticio Dyn Business Panel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13056 affects the Dyn Business Panel WordPress plugin through version 1.0.0. The vulnerability is a reflected cross-site scripting (XSS) issue arising from the plugin's failure to sanitize and escape a parameter before outputting it back in the page. Classified under CWE-79, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-27.

An attacker can exploit this vulnerability over the network with low complexity and no required privileges by crafting a malicious payload in the unsanitized parameter. Exploitation requires user interaction, typically tricking a high-privilege user such as an administrator into accessing a malicious link or page. Successful attacks enable reflected XSS against the victim, potentially allowing session hijacking or execution of arbitrary scripts in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability with a changed scope.

The WPScan advisories at https://wpscan.com/vulnerability/a6acb608-a23e-461d-af48-a6669a45594a/ provide additional details on the vulnerability, including identification and reporting information.

EU & UK References

Vulnerability details

The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables exploitation of a web application vulnerability over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13055Same product: Phycticio Dyn Business Panel
CVE-2024-13057Same product: Phycticio Dyn Business Panel
CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79

Affected Assets

phycticio
dyn business panel
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 mandates filtering of information outputs, directly addressing the failure to escape the unsanitized parameter before page output to prevent reflected XSS.

prevent

SI-10 requires validation of information inputs, mitigating the vulnerability by sanitizing the malicious parameter before processing in the WordPress plugin.

prevent

SI-2 ensures timely flaw remediation, such as patching the Dyn Business Panel plugin to version beyond 1.0.0, comprehensively eliminating the XSS vulnerability.

References