Cyber Resilience

CVE-2024-13057

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
07 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0010 27.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13057 is a high-severity CSRF (CWE-352) vulnerability in Phycticio Dyn Business Panel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13057 affects the Dyn Business Panel WordPress plugin through version 1.0.0. The vulnerability stems from missing Cross-Site Request Forgery (CSRF) checks in certain areas, combined with inadequate input sanitization and output escaping. This flaw, classified under CWE-352, enables attackers to inject Stored Cross-Site Scripting (XSS) payloads. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability by crafting malicious web pages or links that, when visited by a logged-in administrator, trigger CSRF requests to the vulnerable plugin endpoints. This tricks the admin into unknowingly adding Stored XSS payloads to the site, which can then execute arbitrary JavaScript in the context of other users, including admins, potentially leading to session hijacking, data theft, or further site compromise.

Advisories detailing the issue are available from WPScan at https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/. The vulnerability was published on 2025-01-27.

EU & UK References

Vulnerability details

The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF…

more

attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables unauthenticated exploitation via malicious links/pages to inject stored XSS, directly facilitating arbitrary JavaScript execution in victim browsers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13055Same product: Phycticio Dyn Business Panel
CVE-2024-13056Same product: Phycticio Dyn Business Panel
CVE-2025-28931Shared CWE-352
CVE-2025-23980Shared CWE-352
CVE-2025-23710Shared CWE-352
CVE-2025-23822Shared CWE-352
CVE-2025-25128Shared CWE-352
CVE-2025-31616Shared CWE-352
CVE-2025-23483Shared CWE-352
CVE-2025-23817Shared CWE-352

Affected Assets

phycticio
dyn business panel
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces session authenticity mechanisms like anti-CSRF tokens to prevent unauthorized requests that trick logged-in admins into adding XSS payloads.

prevent

Requires validation and sanitization of inputs to block injection of malicious Stored XSS payloads via vulnerable plugin endpoints.

prevent

Mandates output filtering and escaping to neutralize stored XSS payloads before they execute in users' browsers.

References