Cyber Resilience

CVE-2024-13888

High

Published: 20 February 2025

Published
20 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0194 83.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13888 is a high-severity Open Redirect (CWE-601) vulnerability in Amauri Wpmobile.App. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13888 is an open redirect vulnerability (CWE-601) affecting the WPMobile.App plugin for WordPress in all versions up to and including 11.56. The flaw arises from insufficient validation of the redirect URL supplied via the 'redirect' parameter, earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By tricking legitimate users into performing an action, such as clicking a crafted link, attackers can redirect them to potentially malicious sites, enabling phishing or other follow-on attacks that compromise low levels of confidentiality and integrity.

Advisories recommend updating the WPMobile.App plugin to a version beyond 11.56 for mitigation. Key references include the plugin's Trac changeset 3243366, which addresses the issue; the Wordfence threat intelligence details at https://www.wordfence.com/threat-intel/vulnerabilities/id/a139f0fc-f3e0-4759-aa8d-ba138e5ccc87?source=cve; and the plugin developer page at https://wordpress.org/plugins/wpappninja/#developers.

EU & UK References

Vulnerability details

The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers…

more

to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Open redirect directly enables crafting malicious links for spearphishing campaigns that redirect users to attacker-controlled sites.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24868Shared CWE-601
CVE-2024-57241Shared CWE-601
CVE-2025-24381Shared CWE-601
CVE-2025-0244Shared CWE-601
CVE-2020-36912Shared CWE-601
CVE-2026-7504Shared CWE-601
CVE-2026-34931Shared CWE-601
CVE-2026-29067Shared CWE-601
CVE-2024-51321Shared CWE-601
CVE-2026-28512Shared CWE-601

Affected Assets

amauri
wpmobile.app
≤ 11.57

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 'redirect' parameter to prevent acceptance of untrusted URLs, addressing the core insufficient validation flaw in the WPMobile.App plugin.

prevent

Mandates timely remediation of the identified flaw by updating the plugin to versions beyond 11.56, as recommended in advisories.

prevent

Filters output such as redirect URLs to block malicious destinations, providing secondary protection against open redirects.

References