Cyber Resilience

CVE-2024-13836

HighPublic PoC

Published: 11 March 2025

Published
11 March 2025
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0015 35.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13836 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Forsyspress Wp Login Control. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-13836 is a reflected cross-site scripting (XSS) vulnerability affecting the WP Login Control WordPress plugin in versions through 2.0.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute malicious scripts. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring user interaction such as clicking a malicious link. It targets high-privilege users like administrators, allowing attackers to execute scripts in the victim's browser context upon successful XSS, potentially resulting in limited impacts to confidentiality, integrity, and availability, including session theft or unauthorized actions under the victim's privileges.

WPScan advisories detail the issue at https://wpscan.com/vulnerability/26c2026a-1490-4a0f-9d1d-54ee43c69f22/, recommending mitigation through updating the plugin beyond version 2.0.0 to address the sanitization flaw.

EU & UK References

Vulnerability details

The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and direct execution of malicious JavaScript in browser context via crafted links (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

forsyspress
wp login control
≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the plugin's sanitization flaw by updating beyond version 2.0.0 to prevent exploitation.

prevent

Enforces validation and sanitization of the vulnerable input parameter to block malicious script injection.

prevent

Filters the unescaped parameter prior to page output, preventing reflected XSS execution in admin browsers.

References