CVE-2024-13094
Published: 27 January 2025
Summary
CVE-2024-13094 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wptriggers Wp Triggers Lite. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13094 is a reflected cross-site scripting (XSS) vulnerability in the WP Triggers Lite WordPress plugin through version 2.5.3. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Cross-Site Scripting).
An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by tricking a targeted high-privilege user, such as an admin, into interacting with a maliciously crafted link or page (UI:R). Successful exploitation changes the scope (S:C) and enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing the attacker to steal session cookies, impersonate the admin, or perform other actions in the victim's browser context.
The WPScan advisories at https://wpscan.com/vulnerability/7a75809e-824e-458e-bd01-50dadcea7713/ provide detailed information on the vulnerability, including technical analysis for mitigation strategies such as updating the plugin beyond version 2.5.3 if a patched release is available. Security practitioners should review the full report for reproduction steps and remediation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51335
Vulnerability details
The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of internet-facing software (T1190) and facilitates theft of web session cookies via injected scripts (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs before display, directly preventing reflected XSS by ensuring parameters are escaped and sanitized prior to rendering in the page.
SI-10 enforces validation of information inputs, blocking malicious scripts in parameters from being processed and reflected by the WordPress plugin.
SI-2 mandates identification and remediation of system flaws, such as updating the vulnerable WP Triggers Lite plugin beyond version 2.5.3 to eliminate the XSS vulnerability.