CVE-2024-13850 – This stored XSS vulnerability in the Simple add... (How to Fix)

Q: What is the severity of CVE-2024-13850?

CVE-2024-13850 has a CVSS score of 5.5 (MEDIUM). This stored XSS vulnerability in the Simple add pages or posts WordPress plugin allows authenticated administrators to inject malicious scripts into pages. When users view those pages, the scripts execute in their browsers. Only multi-site WordPress installations or those with unfiltered_html disabled are affected.

📋 TL;DR

This stored XSS vulnerability in the Simple add pages or posts WordPress plugin allows authenticated administrators to inject malicious scripts into pages. When users view those pages, the scripts execute in their browsers. Only multi-site WordPress installations or those with unfiltered_html disabled are affected.

💻 Affected Systems

Products:

Simple add pages or posts WordPress plugin

Versions: All versions up to and including 2.0.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects WordPress multi-site installations OR installations where unfiltered_html capability is disabled

📦 What is this software?

Simple Add Pages Or Posts by Mijnpress

View all CVEs affecting Simple Add Pages Or Posts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leads to site takeover, data theft, or malware distribution to all visitors.

🟠

Likely Case

Malicious administrator injects tracking scripts, defaces pages, or steals user session cookies.

🟢

If Mitigated

Limited impact due to requiring administrator access and specific WordPress configurations.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires administrator-level access and specific WordPress configuration

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.1 or later

Vendor Advisory: https://wordpress.org/plugins/simple-add-pages-or-posts/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Simple add pages or posts'. 4. Click 'Update Now' if available, or delete and reinstall latest version.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate simple-add-pages-or-posts

Enable unfiltered_html

all

Enable unfiltered_html capability for administrators (not recommended for multi-user environments)

Add define('DISALLOW_UNFILTERED_HTML', false); to wp-config.php

🧯 If You Can't Patch

Remove administrator access from untrusted users
Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Simple add pages or posts. If version is 2.0.0 or lower, you are vulnerable.

Check Version:

wp plugin get simple-add-pages-or-posts --field=version

Verify Fix Applied:

Verify plugin version is 2.0.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual administrator activity creating/modifying pages with script tags
Multiple page updates in short time

Network Indicators:

Outbound connections to suspicious domains from WordPress pages
Script tags in page content that shouldn't contain them

SIEM Query:

source="wordpress" AND (event="page_update" OR event="post_update") AND user_role="administrator" AND content CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2024-13850

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.16% exploit probability (37.3th percentile)

Published: February 8, 2025

Last Updated: February 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13850, you might also want to check these: