CVE-2024-13626
Published: 17 February 2025
Summary
CVE-2024-13626 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Vruiz Vr-Frases. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates filtering and escaping of information outputs to prevent reflected XSS payloads from executing in users' browsers.
Requires validation and sanitization of input parameters to block malicious script injection before they are processed and output by the plugin.
Ensures timely identification, reporting, and patching of flaws like the unsanitized parameter in the vulnerable WordPress plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in WordPress plugin enables exploitation of public-facing web application (T1190), client-side code execution via unsanitized server response (T1203), JavaScript execution in victim browser (T1059.007), and stealing admin session cookies for account abuse (T1539).
NVD Description
The VR-Frases (collect & share quotes) WordPress plugin through 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as…
more
admin.
Deeper analysisAI
CVE-2024-13626 is a reflected cross-site scripting (XSS) vulnerability in the VR-Frases (collect & share quotes) WordPress plugin through version 3.0.1. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. It is classified under CWE-79 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and potential scope change.
An unauthenticated attacker (PR:N) can exploit this vulnerability by crafting a malicious URL containing a script payload in the vulnerable parameter and tricking a target user, such as a site administrator, into interacting with it (UI:R), for example by clicking a phishing link or visiting a malicious page. Upon execution in the victim's browser (S:C), the XSS payload can lead to low-level impacts including limited confidentiality, integrity, and availability effects, such as session token theft, defacement, or unauthorized actions performed with the victim's privileges.
The WPScan advisory at https://wpscan.com/vulnerability/511c6e7a-087f-41ef-9009-2525f332f8c6/ details the vulnerability, including affected versions through 3.0.1. Security practitioners should check for plugin updates beyond 3.0.1 to mitigate the issue, as the description indicates remediation in later releases.
Details
- CWE(s)