CVE-2024-13867 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-13867?

CVE-2024-13867 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows unauthenticated attackers to inject malicious scripts via the 's' parameter in the Listivo WordPress theme. When users click specially crafted links, the scripts execute in their browsers, potentially stealing cookies or session tokens. All WordPress sites using Listivo theme versions up to 2.3.67 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to inject malicious scripts via the 's' parameter in the Listivo WordPress theme. When users click specially crafted links, the scripts execute in their browsers, potentially stealing cookies or session tokens. All WordPress sites using Listivo theme versions up to 2.3.67 are affected.

💻 Affected Systems

Products:

Listivo - Classified Ads WordPress Theme

Versions: All versions up to and including 2.3.67

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Listivo theme active. Vulnerability exists in theme's search functionality.

📦 What is this software?

Listivo by Tangiblewp

View all CVEs affecting Listivo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, or deface the website.

🟠

Likely Case

Attackers steal user session cookies, redirect users to malicious sites, or perform limited actions within the user's context.

🟢

If Mitigated

Script execution is blocked by browser security features or web application firewalls, limiting impact to minor UI disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple reflected XSS requiring user interaction (clicking malicious link). No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.3.68 or later

Vendor Advisory: https://themeforest.net/item/listivo-classified-ads-wordpress-theme/34032749

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check for Listivo theme updates. 4. Update to version 2.3.68 or later. 5. Clear any caching plugins/CDN caches.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block XSS payloads in URL parameters

Disable Theme Search

all

Remove or disable the vulnerable search functionality if not needed

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use security plugins like Wordfence with XSS protection enabled

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Listivo theme version. If version is 2.3.67 or lower, site is vulnerable.

Check Version:

wp theme list --field=name,version --path=/path/to/wordpress | grep -i listivo

Verify Fix Applied:

After updating, test search functionality with basic XSS payload like <script>alert('test')</script> in 's' parameter. No script should execute.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with script tags in 's' parameter
Unusual search queries containing JavaScript code

Network Indicators:

URLs containing script tags or encoded JavaScript in query parameters

SIEM Query:

source="web_access_logs" AND (uri_query="*<script*" OR uri_query="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-13867

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.52% exploit probability (66.3th percentile)

Published: February 13, 2025

Last Updated: February 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13867, you might also want to check these: