CVE-2024-13874 – The Feedify WordPress plugin before version 2.4... (How to Fix)

Q: What is the severity of CVE-2024-13874?

CVE-2024-13874 has a CVSS score of 7.1 (HIGH). The Feedify WordPress plugin before version 2.4.6 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized user input is reflected back in page output. This allows attackers to inject malicious scripts that execute in the browser of authenticated users, particularly targeting high-privilege administrators. WordPress sites using vulnerable versions of the Feedify plugin are affected.

📋 TL;DR

The Feedify WordPress plugin before version 2.4.6 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized user input is reflected back in page output. This allows attackers to inject malicious scripts that execute in the browser of authenticated users, particularly targeting high-privilege administrators. WordPress sites using vulnerable versions of the Feedify plugin are affected.

💻 Affected Systems

Products:

Feedify WordPress plugin

Versions: All versions before 2.4.6

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability requires the plugin to be active and accessible via WordPress. No special configuration is needed to be vulnerable.

📦 What is this software?

Web Push Notifications by Feedify

View all CVEs affecting Web Push Notifications →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform actions as the administrator (including installing malicious plugins/themes, modifying content, or creating backdoors), and potentially compromise the entire WordPress site.

🟠

Likely Case

Attackers craft malicious links containing XSS payloads and trick administrators into clicking them, leading to session hijacking or limited administrative actions.

🟢

If Mitigated

With proper input validation and output escaping, the malicious scripts would be neutralized, preventing execution even if the vulnerable parameter is accessed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is reflected XSS, which typically requires user interaction (clicking a malicious link). Exploitation details are publicly available in the WPScan reference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.6

Vendor Advisory: https://wpscan.com/vulnerability/c808e7cf-3285-402b-ab4f-a40ab822b12e/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Feedify plugin and update to version 2.4.6 or later. 4. Alternatively, download the latest version from the WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable Feedify Plugin

all

Temporarily deactivate the vulnerable plugin until patching is possible.

wp plugin deactivate feedify

Web Application Firewall (WAF) Rule

all

Configure WAF to block requests containing suspicious script patterns in the vulnerable parameter.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Educate administrators about phishing risks and avoid clicking untrusted links

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins. If Feedify version is below 2.4.6, the site is vulnerable.

Check Version:

wp plugin get feedify --field=version

Verify Fix Applied:

After updating, confirm the Feedify plugin shows version 2.4.6 or higher in the WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests with script tags or JavaScript in query parameters to Feedify plugin endpoints
Multiple failed login attempts or administrative actions from unexpected IPs following suspicious requests

Network Indicators:

HTTP requests containing <script> tags or JavaScript code in URL parameters
Outbound connections to suspicious domains following visits to crafted URLs

SIEM Query:

source="wordpress.log" AND (uri="*feedify*" AND (query="*<script>*" OR query="*javascript:*" OR query="*onerror=*"))

📊 Metadata

CVE ID: CVE-2024-13874

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.2% exploit probability (42th percentile)

Published: April 10, 2025

Last Updated: April 30, 2025

🔗 References

https://wpscan.com/vulnerability/c808e7cf-3285-402b-ab4f-a40ab822b12e/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/c808e7cf-3285-402b-ab4f-a40ab822b12e/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13874, you might also want to check these: