CVE-2024-56299
Published: 07 January 2025
Summary
CVE-2024-56299 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation of untrusted inputs to the Notify Odoo plugin, preventing storage of malicious XSS payloads via CSRF vectors.
Filters and sanitizes stored data prior to output in web pages, neutralizing executable scripts and blocking XSS execution for site visitors.
Mandates timely identification, reporting, and patching of the specific XSS flaw in Notify Odoo versions through 1.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of a stored XSS flaw in a public-facing WordPress plugin via CSRF vector matches T1190 (Exploit Public-Facing Application).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pektsekye Notify Odoo notify-odoo allows Stored XSS.This issue affects Notify Odoo: from n/a through <= 1.0.0.
Deeper analysisAI
CVE-2024-56299 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-Site Scripting (XSS) under CWE-79, in the Pektsekye Notify Odoo (notify-odoo) WordPress plugin. This issue affects Notify Odoo versions from an unspecified starting point through 1.0.0. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely by leveraging a CSRF-to-Stored XSS vector, as detailed in the Patchstack advisory. Exploitation requires tricking a user into interacting with a malicious payload, such as submitting crafted input via a cross-site request forgery that stores executable scripts on the target site. Successful exploitation allows attackers to inject and persist malicious scripts, potentially leading to session hijacking, data theft, or further site compromise for subsequent visitors, though impacts remain limited per the CVSS metrics.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/notify-odoo/vulnerability/wordpress-notify-odoo-plugin-1-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability specifically in Notify Odoo WordPress plugin version 1.0.0. Security practitioners should review the advisory for detailed patch information, update to a fixed version if available, and implement input sanitization or content security policies as interim mitigations.
Details
- CWE(s)