CVE-2024-13571
Published: 26 February 2025
Summary
CVE-2024-13571 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Agilelogix Post Timeline. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13571 is a reflected cross-site scripting (XSS) vulnerability in the Post Timeline WordPress plugin versions before 2.3.10. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by crafting malicious payloads in a parameter that reflects unsanitized in the page. Exploitation requires user interaction, such as an administrator clicking a malicious link, allowing JavaScript execution in the victim's browser context with changed scope and low impacts on confidentiality, integrity, and availability.
The WPScan advisory at https://wpscan.com/vulnerability/ad6ad44d-fdc3-494c-a371-5d7959d1fd23/ details the issue, with mitigation achieved by updating the Post Timeline plugin to version 2.3.10 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5309
Vulnerability details
The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables arbitrary JS execution in the victim's browser context, facilitating browser session hijacking and theft of web session cookies.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of output to block malicious scripts from being reflected unsanitized in web pages, directly preventing exploitation of this reflected XSS vulnerability.
SI-10 enforces validation of untrusted inputs to reject malicious payloads before processing and output, addressing the plugin's failure to sanitize parameters.
SI-2 mandates timely flaw remediation, such as updating the Post Timeline plugin to version 2.3.10, which patches the sanitization and escaping deficiency.