Cyber Resilience

CVE-2024-56060

High

Published: 02 January 2025

Published
02 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0027 50.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56060 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-56060 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the HTML Forms WordPress plugin developed by Link Software LLC. The flaw affects all versions of the html-forms plugin up to and including 1.4.1. It carries a CVSS v3.1 base score of 7.1, reflecting network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, and low impacts on confidentiality, integrity, and availability.

Remote attackers without privileges can exploit this vulnerability by crafting malicious payloads delivered through reflected inputs on sites running the vulnerable plugin. Exploitation requires tricking a user, such as a site visitor or administrator, into interacting with a malicious link or form submission that triggers the XSS payload in the browser context. With changed scope, successful exploitation allows limited theft or modification of data within the site's security context, such as session tokens or page content, alongside minor denial-of-service potential.

The Patchstack advisory at the provided reference URL documents this Reflected XSS issue specifically in WordPress HTML Forms plugin version 1.4.1, serving as a key resource for mitigation details in the plugin's vulnerability database.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms html-forms allows Reflected XSS.This issue affects HTML Forms: from n/a through <= 1.4.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Reflected XSS in publicly accessible WordPress plugin directly enables remote exploitation of a web-facing application without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79
CVE-2025-68031Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, reporting, and correcting the specific XSS flaw in the HTML Forms plugin by applying patches beyond version 1.4.1.

prevent

Mandates validation of reflected inputs in the HTML Forms plugin to block malicious payloads that enable XSS exploitation.

prevent

Requires filtering of reflected form outputs to neutralize XSS scripts before rendering in users' browsers.

References