CVE-2024-13057

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13057
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ Exploit Third Party Advisory
https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:phycticio:dyn_business_panel:1.0.0:*:*:*:*:*:*:*
History

07 May 2025, 19:06

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ - () https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:phycticio:dyn_business_panel:1.0.0:*:*:*:*:*:*:*
First Time Phycticio dyn Business Panel
Phycticio
Summary
  • (es) El complemento Dyn Business Panel para WordPress hasta la versión 1.0.0 no tiene verificación CSRF en algunos lugares y le falta desinfección y escape, lo que podría permitir a los atacantes hacer que el administrador que haya iniciado sesión agregue XSS almacenado payloads a través de un ataque CSRF.
CWE CWE-352

27 Jan 2025, 20:15

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ - () https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ -
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.1

27 Jan 2025, 06:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-27 06:15

Updated : 2025-05-07 19:06

NVD link : CVE-2024-13057

Mitre link : CVE-2024-13057

CVE.ORG link : CVE-2024-13057

JSON object : View

Products Affected

phycticio

  • dyn_business_panel
CWE
CWE-352

Cross-Site Request Forgery (CSRF)