CVE-2024-13836
Published: 11 March 2025
Summary
CVE-2024-13836 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Forsyspress Wp Login Control. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13836 is a reflected cross-site scripting (XSS) vulnerability affecting the WP Login Control WordPress plugin in versions through 2.0.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring user interaction such as clicking a malicious link. It targets high-privilege users like administrators, allowing attackers to execute scripts in the victim's browser context upon successful XSS, potentially resulting in limited impacts to confidentiality, integrity, and availability, including session theft or unauthorized actions under the victim's privileges.
WPScan advisories detail the issue at https://wpscan.com/vulnerability/26c2026a-1490-4a0f-9d1d-54ee43c69f22/, recommending mitigation through updating the plugin beyond version 2.0.0 to address the sanitization flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54182
Vulnerability details
The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and direct execution of malicious JavaScript in browser context via crafted links (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the plugin's sanitization flaw by updating beyond version 2.0.0 to prevent exploitation.
Enforces validation and sanitization of the vulnerable input parameter to block malicious script injection.
Filters the unescaped parameter prior to page output, preventing reflected XSS execution in admin browsers.