CVE-2024-13900

Medium

Published: 21 February 2025

Published

21 February 2025

Modified

25 February 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 28.6th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13900 is a medium-severity Code Injection (CWE-94) vulnerability in Satollo Head\, Footer\, And Post Injections. Its CVSS base score is 4.1 (Medium).

Operationally, ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the PHP code injection vulnerability by requiring timely patching of the affected WordPress plugin as recommended in advisories.

SI-10 Information Input Validation good match

prevent

Addresses the root cause of improper input handling in the plugin by enforcing validation of user inputs to prevent malicious PHP code execution.

CM-7 Least Functionality partial match

prevent

Reduces exposure to the vulnerable plugin by restricting system functionality to only essential capabilities, such as disabling unnecessary head, footer, and post injection features.

NVD Description

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in…

multisite environments.

Deeper analysisAI

CVE-2024-13900 is a PHP Code Injection vulnerability (CWE-94) in the Head, Footer and Post Injections plugin for WordPress, affecting all versions up to and including 3.3.0. The flaw exists specifically in multisite environments, where improper input handling allows malicious code execution.

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network. Exploitation requires high attack complexity but no user interaction, potentially resulting in limited impacts to confidentiality, integrity, and availability, as scored at CVSS 4.1 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

Advisories recommend updating the plugin beyond version 3.3.0 to mitigate the issue, with the WordPress plugin trac changeset 3244016 documenting the fix and Wordfence providing threat intelligence details at their referenced page.