CVE-2024-56069
Published: 02 January 2025
Summary
CVE-2024-56069 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-56069 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP SuperBackup plugin (indeed-wp-superbackup) by azzaroco for WordPress. This issue affects all versions of the plugin from its initial release through 2.3.3. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.
Attackers can exploit this reflected XSS remotely without authentication by tricking users, such as site administrators, into interacting with a maliciously crafted URL or input that gets reflected back without neutralization during web page generation. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially enabling session hijacking, data theft, or further site compromise depending on the victim's privileges.
The Patchstack advisory provides details on this vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52967
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Reflected XSS.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the app (T1190), arbitrary JS execution in browser (T1059.007), and drive-by compromise via malicious URL (T1189).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents reflected XSS by requiring filtering of information prior to output to web pages, addressing the improper neutralization during web page generation in the WP SuperBackup plugin.
Mitigates reflected XSS by validating user inputs to block malicious payloads before they are reflected in web page generation.
Addresses the specific flaw in WP SuperBackup versions through 2.3.3 by requiring timely remediation via security patches.