CVE-2024-13362
Reflected XSS in WordPress Plugins and Themes via URL Parameter
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects multiple WordPress plugins and themes that do not properly sanitize or escape input in the url parameter. It is a Reflected Cross-Site Scripting (XSS) vulnerability, which allows unauthenticated attackers to inject malicious web scripts into pages.
If an attacker tricks a user into clicking a specially crafted link, the injected script executes in the user's browser, potentially compromising their session or data.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of arbitrary scripts in the context of the affected website when a user interacts with a malicious link.
- It can result in theft of user credentials or session tokens.
- It may allow attackers to perform actions on behalf of the user.
- It can lead to the injection of malicious content or redirection to harmful sites.