CVE-2024-13057
Published: 27 January 2025
Summary
CVE-2024-13057 is a high-severity CSRF (CWE-352) vulnerability in Phycticio Dyn Business Panel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13057 affects the Dyn Business Panel WordPress plugin through version 1.0.0. The vulnerability stems from missing Cross-Site Request Forgery (CSRF) checks in certain areas, combined with inadequate input sanitization and output escaping. This flaw, classified under CWE-352, enables attackers to inject Stored Cross-Site Scripting (XSS) payloads. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability by crafting malicious web pages or links that, when visited by a logged-in administrator, trigger CSRF requests to the vulnerable plugin endpoints. This tricks the admin into unknowingly adding Stored XSS payloads to the site, which can then execute arbitrary JavaScript in the context of other users, including admins, potentially leading to session hijacking, data theft, or further site compromise.
Advisories detailing the issue are available from WPScan at https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/. The vulnerability was published on 2025-01-27.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51311
Vulnerability details
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF…
more
attack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated exploitation via malicious links/pages to inject stored XSS, directly facilitating arbitrary JavaScript execution in victim browsers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms like anti-CSRF tokens to prevent unauthorized requests that trick logged-in admins into adding XSS payloads.
Requires validation and sanitization of inputs to block injection of malicious Stored XSS payloads via vulnerable plugin endpoints.
Mandates output filtering and escaping to neutralize stored XSS payloads before they execute in users' browsers.