Cyber Resilience

CVE-2024-13631

HighPublic PoC

Published: 26 February 2025

Published
26 February 2025
Modified
20 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0008 23.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13631 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Sanditsolution Om Stripe. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13631 is a reflected cross-site scripting (XSS) vulnerability in the Om Stripe WordPress plugin through version 02.00.00. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be injected and executed in a user's browser. This issue is classified under CWE-79 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and potential scope change.

Attackers require no privileges (PR:N) and can exploit this over the network (AV:N) by tricking a targeted user, such as a site administrator, into interacting with a maliciously crafted link or page (UI:L). Successful exploitation executes arbitrary JavaScript in the victim's browser context with the high-privilege user's permissions, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking, data theft, or unauthorized actions within the WordPress admin interface.

The WPScan advisory at https://wpscan.com/vulnerability/c991fdd0-cb9d-43ea-bafa-df3b2e806013/ provides detailed analysis and recommends mitigation steps, including updating to a patched version of the plugin if available or disabling it until remediation. Security practitioners should review this reference for specific patch information and workarounds.

EU & UK References

Vulnerability details

The Om Stripe WordPress plugin through 02.00.00 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Reflected XSS enables browser script execution for session hijacking (T1185) and exploits a public web app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79
CVE-2025-23923Shared CWE-79
CVE-2025-23905Shared CWE-79

Affected Assets

sanditsolution
om stripe
≤ 02.00.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering and escaping of information prior to display on web pages, directly preventing reflected XSS by neutralizing injected scripts from unsanitized parameters.

prevent

SI-10 mandates validation and sanitization of user inputs, blocking malicious payloads that could lead to reflected XSS in the Om Stripe plugin.

prevent

SI-2 ensures timely identification, reporting, and remediation of flaws like CVE-2024-13631 through patching or disabling the vulnerable WordPress plugin.

References