CVE-2024-13497 – The Tripetto WordPress plugin (versions up to 8... (How to Fix)

Q: What is the severity of CVE-2024-13497?

CVE-2024-13497 has a CVSS score of 7.2 (HIGH). The Tripetto WordPress plugin (versions up to 8.0.9) has a stored XSS vulnerability in attachment uploads due to insufficient input sanitization. Unauthenticated attackers can upload malicious files that execute JavaScript when accessed by users. This affects all WordPress sites using vulnerable Tripetto plugin versions.

📋 TL;DR

The Tripetto WordPress plugin (versions up to 8.0.9) has a stored XSS vulnerability in attachment uploads due to insufficient input sanitization. Unauthenticated attackers can upload malicious files that execute JavaScript when accessed by users. This affects all WordPress sites using vulnerable Tripetto plugin versions.

💻 Affected Systems

Products:

Tripetto WordPress Plugin

Versions: All versions up to and including 8.0.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Tripetto plugin to be installed and active with attachment upload functionality enabled.

📦 What is this software?

Tripetto by Tripetto

View all CVEs affecting Tripetto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, redirect users to malicious sites, deface websites, or perform actions as authenticated users.

🟠

Likely Case

Session hijacking, credential theft, or website defacement through malicious script execution in user browsers.

🟢

If Mitigated

Limited impact with proper CSP headers and file upload restrictions, but still poses risk to users accessing malicious attachments.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires uploading malicious files through Tripetto forms, which unauthenticated users can do by default.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.0 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3251202%40tripetto%2Ftrunk&old=3231968%40tripetto%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tripetto plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 8.1.0+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Tripetto Plugin

WordPress

Temporarily disable the Tripetto plugin until patched

wp plugin deactivate tripetto

Restrict File Uploads

WordPress

Configure Tripetto to disable attachment uploads or restrict to trusted users only

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Disable Tripetto forms that accept file uploads from unauthenticated users

🔍 How to Verify

Check if Vulnerable:

Check Tripetto plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin get tripetto --field=version

Verify Fix Applied:

Verify Tripetto plugin version is 8.1.0 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to Tripetto endpoints
Multiple failed upload attempts with suspicious filenames

Network Indicators:

HTTP requests to Tripetto attachment URLs with suspicious parameters
File uploads to /wp-content/plugins/tripetto/ paths

SIEM Query:

source="wordpress" AND (uri_path="/wp-content/plugins/tripetto/" OR user_agent CONTAINS "Tripetto") AND (method="POST" OR file_upload="true")

📊 Metadata

CVE ID: CVE-2024-13497

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-80

EPSS Score: 0.68% exploit probability (71th percentile)

Published: March 15, 2025

Last Updated: March 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13497, you might also want to check these: