CVE-2024-13862
Published: 11 March 2025
Summary
CVE-2024-13862 is a high-severity Cross-site Scripting (CWE-79) vulnerability in S3Bubble S3Bubble-Amazon-Web-Services-Oembed-Media-Streaming-Support. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of parameter escaping before output by requiring filtering of information outputs to prevent reflected XSS script injection.
Mandates validation of unsanitized input parameters to block malicious payloads from being accepted and reflected in web pages.
Ensures timely remediation of the specific flaw in the S3Bubble WordPress plugin through identification, reporting, and correction of vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables malicious link delivery (T1204.001) for arbitrary browser script execution, directly facilitating browser session hijacking (T1185) and web session cookie theft (T1539) as explicitly described in the CVE impacts.
NVD Description
The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as…
more
admin
Deeper analysisAI
CVE-2024-13862 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, in the S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through version 8.0. The flaw arises because the plugin does not sanitize and escape a parameter before outputting it back in the page, enabling script injection. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.
An unauthenticated attacker (PR:N) can exploit this remotely (AV:N) by crafting a malicious link or page that requires victim interaction (UI:R), such as clicking or viewing content. The reflected nature targets high-privilege users like administrators, allowing arbitrary script execution in their browser context. This could result in low-level impacts on confidentiality, integrity, and availability, such as stealing session cookies, performing unauthorized actions, or defacing pages on behalf of the victim.
Mitigation details are available in the WPScan advisories at https://wpscan.com/vulnerability/7692b768-a33f-45a2-90f1-1f4258493979/. The vulnerability was published on 2025-03-11.
Details
- CWE(s)