Login Sign Up

CVE-2024-13577

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

The CATS Job Listings WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 2.0.9 are affected.

💻 Affected Systems

Products:
  • CATS Job Listings WordPress Plugin
Versions: All versions up to and including 2.0.9
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled. Contributor-level access or higher needed for exploitation.

📦 What is this software?

Cats Job Listings by Catsone

View all CVEs affecting Cats Job Listings →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially gaining higher privileges.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to script execution in the context of the vulnerable page.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.0 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3158989/cats-job-listings/trunk/CATSJobListingUser.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'CATS Job Listings' and click 'Update Now'. 4. Verify version is 2.1.0 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate cats-job-listings

Restrict User Roles

all

Remove contributor-level access from untrusted users

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Add WAF rules to block XSS payloads in shortcode attributes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for CATS Job Listings version

Check Version:

wp plugin get cats-job-listings --field=version

Verify Fix Applied:

Verify plugin version is 2.1.0 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to WordPress admin with script-like content in parameters
  • Multiple failed login attempts followed by successful contributor login

Network Indicators:

  • Outbound connections to suspicious domains from WordPress server
  • Unusual JavaScript payloads in HTTP requests

SIEM Query:

source="wordpress.log" AND ("catsone" OR "cats-job-listings") AND ("script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-13577
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.08% exploit probability (22.8th percentile)
Published: February 18, 2025
Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13577, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)