Cyber Resilience

CVE-2024-56299

High

Published: 07 January 2025

Published
07 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0020 41.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56299 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-56299 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-Site Scripting (XSS) under CWE-79, in the Pektsekye Notify Odoo (notify-odoo) WordPress plugin. This issue affects Notify Odoo versions from an unspecified starting point through 1.0.0. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by leveraging a CSRF-to-Stored XSS vector, as detailed in the Patchstack advisory. Exploitation requires tricking a user into interacting with a malicious payload, such as submitting crafted input via a cross-site request forgery that stores executable scripts on the target site. Successful exploitation allows attackers to inject and persist malicious scripts, potentially leading to session hijacking, data theft, or further site compromise for subsequent visitors, though impacts remain limited per the CVSS metrics.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/notify-odoo/vulnerability/wordpress-notify-odoo-plugin-1-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability specifically in Notify Odoo WordPress plugin version 1.0.0. Security practitioners should review the advisory for detailed patch information, update to a fixed version if available, and implement input sanitization or content security policies as interim mitigations.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pektsekye Notify Odoo notify-odoo allows Stored XSS.This issue affects Notify Odoo: from n/a through <= 1.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of a stored XSS flaw in a public-facing WordPress plugin via CSRF vector matches T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted inputs to the Notify Odoo plugin, preventing storage of malicious XSS payloads via CSRF vectors.

prevent

Filters and sanitizes stored data prior to output in web pages, neutralizing executable scripts and blocking XSS execution for site visitors.

preventrecover

Mandates timely identification, reporting, and patching of the specific XSS flaw in Notify Odoo versions through 1.0.0.

References