Cyber Resilience

CVE-2024-13509

High

Published: 28 January 2025

Published
28 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0086 75.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13509 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Westguardsolutions Ws Form. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13509 is a stored cross-site scripting (XSS) vulnerability affecting the WS Form LITE and PRO plugins for WordPress in all versions up to and including 1.10.13. The flaw stems from insufficient input sanitization and output escaping of the url parameter, allowing arbitrary web scripts to be injected into pages. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts via the url parameter, attackers can have those scripts execute in users' browsers whenever the affected pages are accessed, potentially leading to session hijacking, data theft, or further compromise within the victim's browser context due to the changed scope.

Advisories indicate the vulnerability is partially fixed in version 1.10.13 and completely addressed in version 1.10.14. Relevant references include WordPress plugin trac changesets 3225862 and 3226595, the WS Form changelog at wsform.com, and Wordfence threat intelligence detailing the issue. Security practitioners should urge WordPress site administrators using affected WS Form plugins to update immediately to mitigate risks.

EU & UK References

Vulnerability details

The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for…

more

unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 via unauthenticated script injection over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79

Affected Assets

westguardsolutions
ws form
≤ 1.10.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient input sanitization of the url parameter that enables unauthenticated attackers to inject arbitrary web scripts.

prevent

Directly addresses the insufficient output escaping allowing injected scripts to execute in users' browsers when accessing affected pages.

prevent

Ensures timely flaw remediation by patching WS Form plugins to version 1.10.14, which completely fixes the stored XSS vulnerability.

References