CVE-2024-13881
Published: 20 March 2025
Summary
CVE-2024-13881 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gunnettmd Linkmyposts. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-13881 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Link My Posts WordPress plugin through version 1.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling malicious script execution in a victim's browser. Published on 2025-03-20, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and potential scope change.
Attackers require no privileges (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L), though it demands user interaction (UI:R), such as clicking a crafted link. The vulnerability targets high-privilege users like administrators, allowing attackers to execute scripts in their context, potentially leading to session hijacking, data theft, or further site compromise with low impacts on confidentiality, integrity, and availability but elevated scope (S:C).
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/900fa2c6-0cac-4920-aef2-e8b94248b62e/. Security practitioners should review this reference for patching guidance and update the plugin beyond version 1.0 where possible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6749
Vulnerability details
The Link My Posts WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in the victim's browser (T1059.007), facilitating session hijacking and further compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to escape output by requiring filtering of information prior to display, preventing reflected XSS script execution in victims' browsers.
Mandates validation and sanitization of input parameters to block malicious payloads from being processed and reflected by the vulnerable WordPress plugin.
Requires timely identification, reporting, and patching of flaws such as this XSS vulnerability in the Link My Posts plugin through version 1.0.