Cyber Resilience

CVE-2024-56038

High

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0031 54.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56038 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-56038 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS), in the SendSMS WordPress plugin developed by catalinsendsms. The issue affects SendSMS versions from n/a through 1.2.9 and is associated with CWE-79.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link. Exploitation changes the scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 score of 7.1. This enables execution of arbitrary scripts in the victim's browser context, potentially leading to session hijacking or data theft.

The Patchstack advisory provides details on this WordPress SendSMS plugin vulnerability, including assessment and recommended actions for mitigation.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catalinsendsms SendSMS sendsms allows Reflected XSS.This issue affects SendSMS: from n/a through <= 1.2.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS directly enables arbitrary JavaScript execution in the victim's browser, facilitating session hijacking as explicitly noted in the CVE description.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25203Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2025-68835Shared CWE-79
CVE-2026-32118Shared CWE-79
CVE-2025-24617Shared CWE-79
CVE-2026-30934Shared CWE-79
CVE-2026-24833Shared CWE-79
CVE-2025-25823Shared CWE-79
CVE-2025-36548Shared CWE-79
CVE-2025-69392Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires filtering and neutralization of output to web pages, preventing reflected XSS by blocking execution of injected scripts in the victim's browser.

prevent

Enforces validation of inputs to detect and reject malformed or malicious data that could be reflected as XSS payloads in the SendSMS plugin.

prevent

Requires timely flaw remediation, including patching the specific improper neutralization vulnerability in SendSMS versions through 1.2.9.

References