CVE-2024-13574
Published: 11 March 2025
Summary
CVE-2024-13574 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xavivars Xv Random Quotes. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates filtering and encoding of output before rendering to prevent reflected XSS from unescaped parameters like in this plugin vulnerability.
Requires validation and sanitization of input parameters to block injection of malicious scripts targeted at high-privilege users.
Ensures timely flaw remediation by updating vulnerable plugins like XV Random Quotes beyond version 1.40 to eliminate the XSS issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables direct exploitation of the web app (T1190), delivery via crafted malicious links in phishing (T1566.002), arbitrary JavaScript execution in browser (T1059.007), and session hijacking (T1185) as explicitly noted in the description.
NVD Description
The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Deeper analysisAI
CVE-2024-13574 is a reflected cross-site scripting (XSS) vulnerability in the XV Random Quotes WordPress plugin through version 1.40. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a victim's browser. This issue is classified under CWE-79 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely without privileges by tricking a targeted user, such as an administrator, into interacting with a maliciously crafted link or page. Successful exploitation executes arbitrary JavaScript in the context of the victim's browser, potentially enabling session hijacking, theft of sensitive data, or further actions limited by the low confidentiality, integrity, and availability impacts. The requirement for user interaction makes it suitable for phishing campaigns aimed at high-privilege WordPress users.
Advisories from WPScan detail the vulnerability at https://wpscan.com/vulnerability/7eb9ef20-5d34-425e-b7fc-38a769d0a822/, where security practitioners should consult for specific detection, patch availability, and mitigation guidance, such as updating to a fixed version beyond 1.40 or implementing input validation.
Details
- CWE(s)