Login Sign Up

CVE-2024-12749

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability in the Competition Form WordPress plugin allows attackers to inject malicious scripts via unsanitized parameters, which execute when viewed by administrators or other high-privilege users. It affects WordPress sites running Competition Form plugin version 2.0 and earlier. The attack requires tricking authenticated users into clicking a specially crafted link.

💻 Affected Systems

Products:
  • Competition Form WordPress Plugin
Versions: through 2.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the Competition Form plugin enabled. Attack requires user interaction with malicious link.

📦 What is this software?

Competition Form by Raiserweb

View all CVEs affecting Competition Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Session hijacking of admin accounts, defacement, or credential theft through phishing.

🟢

If Mitigated

Limited impact if proper input validation and output escaping are implemented, or if the plugin is disabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires social engineering to trick authenticated users into clicking malicious links. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.0

Vendor Advisory: https://wpscan.com/vulnerability/478316b9-9f47-4aa6-92c6-03879f16a3e5/

Restart Required: No

Instructions:

1. Update Competition Form plugin to latest version via WordPress admin panel. 2. Verify plugin version is above 2.0. 3. Test competition forms for functionality.

🔧 Temporary Workarounds

Disable Competition Form Plugin

all

Temporarily disable the plugin until patched to eliminate vulnerability.

Implement WAF Rules

all

Configure web application firewall to block XSS payloads targeting competition form parameters.

🧯 If You Can't Patch

  • Restrict plugin access to trusted users only
  • Implement Content Security Policy (CSP) headers to mitigate script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Competition Form version. If version is 2.0 or lower, vulnerable.

Check Version:

wp plugin list --name='competition-form' --field=version

Verify Fix Applied:

Verify plugin version is above 2.0 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET/POST requests with script tags or JavaScript in competition form parameters
  • Multiple failed login attempts following suspicious parameter submissions

Network Indicators:

  • HTTP requests containing <script> tags or JavaScript in competition form parameters
  • Unusual outbound connections from WordPress admin sessions

SIEM Query:

source="wordpress.log" AND (uri="*competition*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-12749
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.99% exploit probability (76.5th percentile)
Published: January 29, 2025
Last Updated: May 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12749, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)