CVE-2024-13668
Published: 07 March 2025
Summary
CVE-2024-13668 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Erwinwolff Wordpress Activity-O-Meter. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of user-supplied parameters to prevent injection of malicious JavaScript in the WordPress plugin.
Mandates filtering and escaping of output before rendering in the page to block execution of reflected XSS payloads targeting admins.
Ensures timely remediation of the plugin flaw through patching or updates as advised in the WPScan advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables T1190 (exploit public-facing app), T1059.007 (arbitrary JS execution in browser), and T1204.001 (malicious link delivery requiring user click).
NVD Description
The WordPress Activity O Meter WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
Deeper analysisAI
CVE-2024-13668 is a reflected cross-site scripting (XSS) vulnerability affecting the WordPress Activity O Meter plugin through version 1.0. The plugin fails to sanitize and escape a user-supplied parameter before outputting it back in the page, enabling attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser. This issue is classified under CWE-79 (Cross-Site Scripting) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L), though it requires user interaction such as clicking a malicious link (UI:R). It targets high-privilege users like site administrators, allowing attackers to execute scripts in their session context with a changed scope (S:C), potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions.
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/a7bfc094-b235-419d-882d-96b439651f65/, published on 2025-03-07. Security practitioners should review it for patch information or workarounds specific to the plugin.
Details
- CWE(s)