CVE-2024-13868 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-13868?

CVE-2024-13868 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows attackers to inject malicious scripts via a URL parameter in the URL Shortener WordPress plugin. When an admin or other high-privilege user clicks a specially crafted link, the script executes in their browser session. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts via a URL parameter in the URL Shortener WordPress plugin. When an admin or other high-privilege user clicks a specially crafted link, the script executes in their browser session. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin

Versions: through 9.0.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. The vulnerability is reflected XSS, so exploitation requires user interaction.

📦 What is this software?

Url Shortener \| Conversion Tracking \| Ab Testing \| Woocommerce by Tahminajannat

View all CVEs affecting Url Shortener \| Conversion Tracking \| Ab Testing \| Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform actions as administrators (like installing backdoors), or redirect users to malicious sites.

🟠

Likely Case

Attackers craft phishing emails with malicious links targeting administrators to steal credentials or session tokens.

🟢

If Mitigated

With proper web application firewalls and user awareness training, successful exploitation becomes difficult.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting a malicious URL and tricking a user (preferably an admin) to click it. No authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.3 or later

Vendor Advisory: https://wpscan.com/vulnerability/0bff1645-dd53-4416-a90f-7cf4a6b33c1a/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'URL Shortener' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 9.0.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Configure WAF rules to block XSS payloads in URL parameters.

Disable Plugin

linux

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate url-shortener

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Educate users (especially admins) about not clicking untrusted links

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 9.0.2 or earlier, you are vulnerable.

Check Version:

wp plugin get url-shortener --field=version

Verify Fix Applied:

After updating, verify plugin version shows 9.0.3 or later. Test by attempting to inject basic XSS payloads in URL parameters.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests with script tags in query parameters
Multiple 404 errors for similar malicious URLs

Network Indicators:

Outbound connections to unknown domains following admin page visits
Suspicious redirect patterns

SIEM Query:

source="wordpress.log" AND ("<script" OR "javascript:") AND uri_path="/wp-admin/"

📊 Metadata

CVE ID: CVE-2024-13868

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: March 6, 2025

Last Updated: May 21, 2025

🔗 References

https://wpscan.com/vulnerability/0bff1645-dd53-4416-a90f-7cf4a6b33c1a/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13868, you might also want to check these: