CVE-2024-13509
Published: 28 January 2025
Summary
CVE-2024-13509 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Westguardsolutions Ws Form. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13509 is a stored cross-site scripting (XSS) vulnerability affecting the WS Form LITE and PRO plugins for WordPress in all versions up to and including 1.10.13. The flaw stems from insufficient input sanitization and output escaping of the url parameter, allowing arbitrary web scripts to be injected into pages. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts via the url parameter, attackers can have those scripts execute in users' browsers whenever the affected pages are accessed, potentially leading to session hijacking, data theft, or further compromise within the victim's browser context due to the changed scope.
Advisories indicate the vulnerability is partially fixed in version 1.10.13 and completely addressed in version 1.10.14. Relevant references include WordPress plugin trac changesets 3225862 and 3226595, the WS Form changelog at wsform.com, and Wordfence threat intelligence detailing the issue. Security practitioners should urge WordPress site administrators using affected WS Form plugins to update immediately to mitigate risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51640
Vulnerability details
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for…
more
unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 via unauthenticated script injection over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient input sanitization of the url parameter that enables unauthenticated attackers to inject arbitrary web scripts.
Directly addresses the insufficient output escaping allowing injected scripts to execute in users' browsers when accessing affected pages.
Ensures timely flaw remediation by patching WS Form plugins to version 1.10.14, which completely fixes the stored XSS vulnerability.