CVE-2024-13094
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into WordPress admin pages via unsanitized parameters in the WP Triggers Lite plugin. When high-privilege users like administrators view pages containing the malicious scripts, attackers can steal session cookies, perform actions on their behalf, or redirect them to malicious sites. All WordPress sites using vulnerable versions of WP Triggers Lite are affected.
💻 Affected Systems
- WP Triggers Lite WordPress plugin
📦 What is this software?
Wp Triggers Lite by Wptriggers
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, install backdoors, deface websites, steal sensitive data, or pivot to internal network systems if the WordPress instance has internal access.
Likely Case
Attackers would typically steal administrator session cookies to gain unauthorized access, then modify content, install malicious plugins, or exfiltrate user data.
If Mitigated
With proper web application firewalls and security headers, the attack would be blocked or the impact limited to session theft without further compromise.
🎯 Exploit Status
Exploitation requires tricking authenticated users (especially admins) into clicking malicious links. No authentication bypass is needed for the XSS itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.4 or later
Vendor Advisory: https://wpscan.com/vulnerability/7a75809e-824e-458e-bd01-50dadcea7713/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Triggers Lite and click 'Update Now' if available. 4. If no update appears, manually download version 2.5.4+ from WordPress.org and replace the plugin files via FTP/SFTP.
🔧 Temporary Workarounds
Disable WP Triggers Lite plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate wp-triggers-lite
Implement Content Security Policy
allAdd CSP headers to block inline script execution
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Restrict admin panel access to specific IP addresses using .htaccess or firewall rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for WP Triggers Lite version 2.5.3 or earlierCheck Version:
wp plugin get wp-triggers-lite --field=versionVerify Fix Applied:
Verify WP Triggers Lite version is 2.5.4 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests with script tags in parameters to wp-triggers-lite endpoints
- Multiple failed login attempts followed by successful admin login from new IP
Network Indicators:
- HTTP requests containing <script> tags in query parameters to WordPress admin URLs
- Outbound connections to suspicious domains after admin login
SIEM Query:
source="wordpress.log" AND (uri="*wp-triggers-lite*" AND (param="*<script>*" OR param="*javascript:*"))