CVE-2024-13749 – The StaffList WordPress plugin up to version 3.... (How to Fix)

Q: What is the severity of CVE-2024-13749?

CVE-2024-13749 has a CVSS score of 6.1 (MEDIUM). The StaffList WordPress plugin up to version 3.2.3 has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into performing actions that update plugin settings or inject malicious scripts. This affects all WordPress sites using vulnerable versions of the StaffList plugin.

📋 TL;DR

The StaffList WordPress plugin up to version 3.2.3 has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into performing actions that update plugin settings or inject malicious scripts. This affects all WordPress sites using vulnerable versions of the StaffList plugin.

💻 Affected Systems

Products:

WordPress StaffList Plugin

Versions: All versions up to and including 3.2.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with StaffList plugin enabled. Attack requires administrator interaction with malicious link.

📦 What is this software?

Stafflist by Era404

View all CVEs affecting Stafflist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Site takeover through admin credential theft, malware distribution to visitors, or complete site defacement via injected scripts.

🟠

Likely Case

Malicious script injection leading to credential theft from site visitors or SEO spam injection.

🟢

If Mitigated

No impact if administrators don't click malicious links and proper CSRF protections are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CSRF attacks are well-understood and easy to weaponize. No authentication required, but requires social engineering to trick administrators.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3232922%40stafflist&new=3232922%40stafflist&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find StaffList plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 3.2.4+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the StaffList plugin until patched

wp plugin deactivate stafflist

CSRF Protection via .htaccess

linux

Add basic CSRF protection headers

Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'"

🧯 If You Can't Patch

Remove StaffList plugin entirely if not essential
Implement strict Content Security Policy headers to limit script injection impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → StaffList version. If version ≤ 3.2.3, vulnerable.

Check Version:

wp plugin get stafflist --field=version

Verify Fix Applied:

Verify StaffList plugin version is 3.2.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin.php?page=stafflist from unexpected referrers
Multiple failed nonce validation attempts

Network Indicators:

CSRF attack patterns with forged requests to stafflist endpoints
Malicious iframe or script tags in plugin settings

SIEM Query:

source="wordpress" AND (uri="/wp-admin/admin.php?page=stafflist" AND method="POST") AND referrer NOT CONTAINS own_domain

📊 Metadata

CVE ID: CVE-2024-13749

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.2% exploit probability (41.4th percentile)

Published: February 12, 2025

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13749, you might also want to check these: