CVE-2024-13633
Published: 26 February 2025
Summary
CVE-2024-13633 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fb-Creations Simple Catalogue. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13633 is a reflected cross-site scripting (XSS) vulnerability in the Simple Catalogue WordPress plugin through version 1.0.2. The flaw arises because the plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing malicious scripts to be reflected and executed in a victim's browser. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation).
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by crafting a malicious URL with a reflected parameter and tricking a targeted high-privilege user, such as an admin, into interacting with it, typically via social engineering like phishing links (UI:R). Successful exploitation executes arbitrary JavaScript in the victim's context with changed scope (S:C), potentially enabling session hijacking, theft of sensitive data, or unauthorized actions on behalf of the victim, though impacts on confidentiality, integrity, and availability are rated low (C:I:A:L).
The WPScan advisory at https://wpscan.com/vulnerability/4291d5eb-c006-42b0-accf-90f09f26b6a0/ provides details on the vulnerability, including recommended mitigations such as updating to a patched version of the plugin beyond 1.0.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53906
Vulnerability details
The Simple catalogue WordPress plugin through 1.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 exploitation; payload executes arbitrary JS (T1059.007) delivered via crafted phishing links (T1566.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering and encoding of information prior to output, directly addressing the plugin's failure to sanitize and escape the reflected parameter to prevent XSS execution.
SI-10 mandates validation of inputs to ensure they are properly sanitized, mitigating the acceptance and reflection of malicious scripts in the vulnerable parameter.
SI-2 ensures timely identification, reporting, and remediation of flaws like this XSS vulnerability through patching the Simple Catalogue plugin beyond version 1.0.2.