Login Sign Up

CVE-2024-13055

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

The Dyn Business Panel WordPress plugin through version 1.0.0 contains a reflected cross-site scripting (XSS) vulnerability. Attackers can inject malicious scripts via unsanitized parameters, which execute when viewed by administrators or other high-privilege users. This affects WordPress sites using the vulnerable plugin.

💻 Affected Systems

Products:
  • Dyn Business Panel WordPress plugin
Versions: through 1.0.0
Operating Systems: any
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the plugin active. Requires user interaction (admin must click malicious link).

📦 What is this software?

Dyn Business Panel by Phycticio

View all CVEs affecting Dyn Business Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Session hijacking of admin accounts, unauthorized actions within WordPress dashboard, or credential theft.

🟢

If Mitigated

Limited impact if administrators use browsers with XSS protection or have script blockers enabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires tricking authenticated admin users into clicking a specially crafted link. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.0.0

Vendor Advisory: https://wpscan.com/vulnerability/91178272-ed7e-412c-a187-e360a1313004/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Locate 'Dyn Business Panel' plugin. 4. Check for updates or remove if no update available. 5. If update exists, click 'Update Now'. 6. Verify plugin is deactivated or updated to version above 1.0.0.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate dyn-business-panel

Web Application Firewall (WAF)

all

Configure WAF to block XSS payloads targeting the vulnerable parameter.

🧯 If You Can't Patch

  • Remove the Dyn Business Panel plugin entirely from the WordPress installation.
  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'Dyn Business Panel' version 1.0.0 or lower.

Check Version:

wp plugin get dyn-business-panel --field=version

Verify Fix Applied:

Confirm plugin is either removed or updated to version above 1.0.0 in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET/POST requests containing script tags or JavaScript in parameters to plugin pages.
  • Admin user sessions with unexpected referrer URLs containing encoded payloads.

Network Indicators:

  • HTTP requests with suspicious parameters like <script> or javascript: in URLs targeting the plugin.

SIEM Query:

source="wordpress.log" AND ("dyn-business-panel" OR "Dyn Business Panel") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-13055
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 1.95% exploit probability (83.1th percentile)
Published: January 27, 2025
Last Updated: May 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13055, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)