Reflected Cross-Site Scripting Vulnerability in Simple Catalogue WordPress Plugin
CVE-2024-13633

7.1HIGH

Key Information:

Vendor: WordPress
Status: Simple Catalogue
Vendor: CVE Published:; 26 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-13633?

The Simple Catalogue WordPress plugin prior to version 1.0.3 is susceptible to a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of user-supplied parameters. This flaw allows attackers to inject malicious scripts that are subsequently executed in the context of a user's session. Consequently, this could be exploited specifically against users with elevated privileges, such as administrators, potentially compromising sensitive data and site integrity.

Affected Version(s)

Simple catalogue 0 <= 1.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-13633 - Proof of Concept

References

https://wpscan.com/vulnerability/4291d5eb-c006-42b0-accf-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 26, 2025
👾
Exploit known to exist
Feb 26, 2025
Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Jan 22, 2025

Credit

Hassan Khan Yusufzai - Splint3r7

WPScan