Login Sign Up

CVE-2024-13884

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

The Limit Bio WordPress plugin through version 1.0 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized user input is reflected back in page output. This allows attackers to execute malicious JavaScript in the context of authenticated users, potentially compromising administrative accounts. WordPress sites using this plugin are affected.

💻 Affected Systems

Products:
  • Limit Bio WordPress plugin
Versions: All versions through 1.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the Limit Bio plugin enabled. The vulnerability affects the parameter handling in the plugin.

📦 What is this software?

Limit Bio by Rivercitygraphix

View all CVEs affecting Limit Bio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal admin session cookies, perform actions as administrators (install backdoors, modify content), or redirect users to malicious sites.

🟠

Likely Case

Attackers could hijack admin sessions to deface websites, inject malicious content, or steal sensitive information from logged-in users.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability would be prevented entirely.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires tricking authenticated users (including admins) into clicking a malicious link. No authentication bypass is needed for the XSS itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0 (check plugin updates)

Vendor Advisory: https://wpscan.com/vulnerability/759a60ac-c890-4961-91e4-53db5096eb3c/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Limit Bio' plugin. 4. Click 'Update Now' if available. 5. If no update is available, disable and remove the plugin.

🔧 Temporary Workarounds

Disable Limit Bio Plugin

WordPress

Temporarily disable the vulnerable plugin until a patch is available

wp plugin deactivate limit-bio

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads in the affected parameter
  • Restrict admin panel access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Limit Bio' version 1.0 or earlier

Check Version:

wp plugin list --name=limit-bio --field=version

Verify Fix Applied:

Verify the plugin is updated to a version after 1.0 or completely removed

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET/POST requests containing script tags or JavaScript in the vulnerable parameter
  • Multiple failed login attempts following suspicious parameter values

Network Indicators:

  • HTTP requests with suspicious parameters containing <script> tags or JavaScript payloads

SIEM Query:

source="wordpress.log" AND ("limit-bio" OR "limit_bio") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-13884
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.1% exploit probability (28.2th percentile)
Published: March 13, 2025
Last Updated: April 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13884, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)