CVE-2024-13497
Published: 15 March 2025
Summary
CVE-2024-13497 is a high-severity Basic XSS (CWE-80) vulnerability in Tripetto Tripetto. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating uploaded attachments to prevent injection of malicious scripts due to insufficient input sanitization in the Tripetto plugin.
SI-15 mandates output filtering and escaping when displaying uploaded files, directly countering the lack of output escaping that enables stored XSS execution.
SI-2 ensures timely flaw remediation by updating the vulnerable Tripetto plugin versions up to 8.0.9 to patched releases.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin enables remote exploitation of the application (T1190) and direct facilitation of web session cookie theft via injected scripts (T1539).
NVD Description
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output…
more
escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
Deeper analysisAI
CVE-2024-13497 is a stored cross-site scripting (XSS) vulnerability in the Tripetto plugin for WordPress, a form builder for contact forms, surveys, and quizzes. It affects all versions up to and including 8.0.9 and stems from insufficient input sanitization and output escaping when handling attachment uploads. This flaw, associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading malicious attachments containing arbitrary web scripts, attackers can inject code that executes in the context of pages displaying the uploaded files whenever any user, including administrators, accesses them. This leads to potential theft of session cookies, account takeover, or further site compromise due to the changed scope (S:C).
Mitigation details are available in plugin advisories and code references. The Wordfence threat intelligence page provides vulnerability analysis, while WordPress plugin trac links show the vulnerable code in attachments.php (line 46) and a changeset applying fixes between revisions 3231968 and 3251202 in the trunk branch, indicating that updating to a version beyond 8.0.9 resolves the issue. Security practitioners should urge site owners to update the Tripetto plugin immediately.
Details
- CWE(s)