CVE-2024-13459 – The FuseDesk WordPress plugin has a stored XSS ... (How to Fix)

Q: What is the severity of CVE-2024-13459?

CVE-2024-13459 has a CVSS score of 6.4 (MEDIUM). The FuseDesk WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. This affects all WordPress sites using FuseDesk plugin versions up to 6.6.1.

📋 TL;DR

The FuseDesk WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. This affects all WordPress sites using FuseDesk plugin versions up to 6.6.1.

💻 Affected Systems

Products:

FuseDesk WordPress Plugin

Versions: All versions up to and including 6.6.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with FuseDesk plugin enabled and at least one user with contributor-level permissions.

📦 What is this software?

Fusedesk by Jeremyshapiro

View all CVEs affecting Fusedesk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the website, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal user session cookies, perform actions as logged-in users, or display phishing content.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to the specific compromised pages and affected user sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has contributor-level credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.2 or later

Vendor Advisory: https://wordpress.org/plugins/fusedesk/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find FuseDesk and click 'Update Now'. 4. Verify version is 6.6.2 or higher.

🔧 Temporary Workarounds

Disable FuseDesk Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate fusedesk

Restrict User Roles

all

Remove contributor-level access from untrusted users and implement least privilege

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Regularly audit user accounts and remove unnecessary contributor-level permissions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → FuseDesk version. If version is 6.6.1 or lower, you are vulnerable.

Check Version:

wp plugin get fusedesk --field=version

Verify Fix Applied:

After updating, verify FuseDesk version shows 6.6.2 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual shortcode usage in post/page content
Multiple failed login attempts followed by contributor account access
Suspicious script tags in post/page revisions

Network Indicators:

Unexpected JavaScript loading from WordPress pages
Suspicious outbound connections from admin pages

SIEM Query:

source="wordpress" AND (event="post_updated" OR event="plugin_updated") AND plugin="fusedesk"

📊 Metadata

CVE ID: CVE-2024-13459

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (22.8th percentile)

Published: February 12, 2025

Last Updated: February 18, 2025

🔗 References

https://wordpress.org/plugins/fusedesk/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/a69a99af-3d1d-4ad2-b6b5-e4fcea56be51?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13459, you might also want to check these: