Cyber Resilience

CVE-2024-13633

HighPublic PoC

Published: 26 February 2025

Published
26 February 2025
Modified
20 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 28.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13633 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fb-Creations Simple Catalogue. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13633 is a reflected cross-site scripting (XSS) vulnerability in the Simple Catalogue WordPress plugin through version 1.0.2. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be reflected and executed in a victim's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation).

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by crafting a malicious URL with a reflected parameter and tricking a targeted high-privilege user, such as an admin, into interacting with it, typically via social engineering like phishing links (UI:R). Successful exploitation executes arbitrary JavaScript in the victim's context with changed scope (S:C), potentially enabling session hijacking, theft of sensitive data, or unauthorized actions on behalf of the victim, though impacts on confidentiality, integrity, and availability are rated low (C:I:A:L).

The WPScan advisory at https://wpscan.com/vulnerability/4291d5eb-c006-42b0-accf-90f09f26b6a0/ provides details on the vulnerability, including recommended mitigations such as updating to a patched version of the plugin beyond 1.0.2.

EU & UK References

Vulnerability details

The Simple catalogue WordPress plugin through 1.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables T1190 exploitation; payload executes arbitrary JS (T1059.007) delivered via crafted phishing links (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28126Shared CWE-79
CVE-2025-23732Shared CWE-79
CVE-2025-22294Shared CWE-79
CVE-2025-68906Shared CWE-79
CVE-2025-68836Shared CWE-79
CVE-2025-23598Shared CWE-79
CVE-2025-68892Shared CWE-79
CVE-2026-27348Shared CWE-79
CVE-2026-31845Shared CWE-79
CVE-2025-22317Shared CWE-79

Affected Assets

fb-creations
simple catalogue
≤ 1.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering and encoding of information prior to output, directly addressing the plugin's failure to sanitize and escape the reflected parameter to prevent XSS execution.

prevent

SI-10 mandates validation of inputs to ensure they are properly sanitized, mitigating the acceptance and reflection of malicious scripts in the vulnerable parameter.

prevent

SI-2 ensures timely identification, reporting, and remediation of flaws like this XSS vulnerability through patching the Simple Catalogue plugin beyond version 1.0.2.

References