CVE-2024-13057 – This vulnerability in the Dyn Business Panel Wo... (How to Fix)

Q: What is the severity of CVE-2024-13057?

CVE-2024-13057 has a CVSS score of 7.1 (HIGH). This vulnerability in the Dyn Business Panel WordPress plugin allows attackers to trick logged-in administrators into executing Cross-Site Scripting (XSS) attacks via Cross-Site Request Forgery (CSRF). Attackers can inject malicious scripts that persist in the system, potentially compromising admin sessions and website visitors. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability in the Dyn Business Panel WordPress plugin allows attackers to trick logged-in administrators into executing Cross-Site Scripting (XSS) attacks via Cross-Site Request Forgery (CSRF). Attackers can inject malicious scripts that persist in the system, potentially compromising admin sessions and website visitors. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Dyn Business Panel WordPress Plugin

Versions: through 1.0.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin active and an admin user logged in.

📦 What is this software?

Dyn Business Panel by Phycticio

View all CVEs affecting Dyn Business Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access, deface websites, steal session cookies, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious JavaScript to steal admin credentials, hijack sessions, or modify website content without authorization.

🟢

If Mitigated

With proper CSRF tokens and input validation, the attack fails, maintaining normal plugin functionality with no security impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to trick admin into clicking malicious link while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check plugin repository for updates beyond 1.0.0

Vendor Advisory: https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Dyn Business Panel plugin. 4. Click 'Update Now' if available. 5. If no update, deactivate and remove the plugin.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate dyn-business-panel

Implement CSRF Protection

all

Add CSRF tokens manually to plugin forms if you have development access.

🧯 If You Can't Patch

Remove the plugin entirely and find alternative functionality.
Implement web application firewall (WAF) rules to block XSS payloads and suspicious POST requests to plugin endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Dyn Business Panel version 1.0.0 or earlier.

Check Version:

wp plugin get dyn-business-panel --field=version

Verify Fix Applied:

Verify plugin version is updated beyond 1.0.0 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php or plugin-specific endpoints
JavaScript injection patterns in form submissions
Multiple failed admin login attempts followed by successful login

Network Indicators:

Suspicious outbound connections from WordPress server to unknown domains
Unexpected iframe or script tags in HTTP responses

SIEM Query:

source="wordpress.log" AND ("dyn-business-panel" OR "admin-ajax.php") AND (POST AND ("script" OR "iframe" OR "javascript:"))

📊 Metadata

CVE ID: CVE-2024-13057

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.04% exploit probability (10.7th percentile)

Published: January 27, 2025

Last Updated: May 7, 2025

🔗 References

https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/6f869a3d-1ac1-4d31-8fe5-9b9795b15b5b/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13057, you might also want to check these: