1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-13352, is a Reflected Cross-Site Scripting (XSS) flaw found in the Legull WordPress plugin. It matters significantly because it allows an attacker to inject malicious scripts into web pages viewed by other users. Critically, this exploit can be leveraged against high-privilege users, such as administrators, potentially leading to unauthorized actions, session hijacking, or full compromise of the affected WordPress site.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 7.1. This score indicates a High severity level. The vulnerability was published on 2025-02-07 06:00:03 and last modified on 2026-01-09 20:28:21.

3. Which products, vendors, systems, and versions are affected?

This vulnerability affects the Legull WordPress plugin. Specifically, all versions of the Legull plugin through 1.2.2 are vulnerable. This means versions up to and including 1.2.2 are impacted. The affected systems are WordPress installations where this plugin is active.

4. What is the technical root cause and attack vector?

The technical root cause of CVE-2024-13352 is improper input sanitization and output escaping. The Legull WordPress plugin fails to adequately sanitize and escape a parameter before it is output back into the page. The attack vector is Reflected Cross-Site Scripting (XSS), where a malicious script is reflected off the web server and executed in the victim's browser.

5. How can this vulnerability be exploited?

Exploitation of this vulnerability typically involves the following steps:

1. An attacker crafts a malicious URL containing an XSS payload within an unsanitized parameter used by the Legull plugin.
2. The attacker then persuades a target user, ideally a high-privilege user like an administrator, to click on this specially crafted URL (e.g., via phishing, social engineering, or embedding it in a seemingly legitimate link).
3. When the victim's browser requests the URL, the server reflects the malicious script back to the browser within the HTML response.
4. The victim's browser then executes the malicious script within the context of the vulnerable WordPress site.
5. Successful execution can lead to various consequences, including session hijacking, unauthorized administrative actions, website defacement, or redirection to malicious sites.

6. What mitigation steps and patches are available?

The primary mitigation step is to update the Legull WordPress plugin to a version higher than 1.2.2. It is expected that versions released after 1.2.2 will contain the necessary patches to address the sanitization and escaping issues. Users should monitor the official Legull plugin repository or WordPress plugin directory for available updates. If an update is not immediately available, temporary mitigation might include disabling the plugin if its functionality is not critical, or implementing Web Application Firewall (WAF) rules to filter suspicious input containing script tags or other XSS payloads.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by:

• Manually checking the version of the Legull WordPress plugin installed on the WordPress instance. If the version is 1.2.2 or earlier, it is vulnerable.
• Using vulnerability scanners or security plugins designed for WordPress that can identify outdated or vulnerable plugin versions.
• Reviewing server logs and network traffic for unusual requests containing script-like payloads in URL parameters that target the Legull plugin's functionalities.

8. What are the indicators of compromise (IOCs)?

While the provided CVE data does not specify direct IOCs, general indicators of compromise for Reflected XSS vulnerabilities may include:

• Unusual HTTP GET requests in server access logs containing script payloads (e.g., `alert(1)`, `javascript:` URLs) in parameters handled by the Legull plugin.
• Unexpected redirects experienced by users after clicking specific links.
• Unauthorized changes made to the website, especially by administrative accounts, that cannot be attributed to legitimate user actions.
• Unusual JavaScript errors or behaviors observed in a user's browser console when interacting with pages using the Legull plugin.

9. Which threat actors are known to exploit this vulnerability?

At this time, the provided CVE data does not specify any particular threat actors or groups known to be actively exploiting CVE-2024-13352. However, XSS vulnerabilities are commonly targeted by various opportunistic attackers.

10. What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its CVE identifier, CVE-2024-13352. This CVE entry itself serves as an advisory detailing the nature of the flaw, its impact, and affected versions. Further advisories may be available from the WordPress security team, Legull plugin developers, or third-party security researchers, typically linked from the official CVE details page.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-13352 is High. With a CVSS score of 7.1 and the capability to target high-privilege users (administrators), a successful exploitation could lead to significant compromise of the WordPress site, including data theft, unauthorized content modification, or complete control over the website. The urgency level is also High. Organizations using the Legull WordPress plugin in versions 1.2.2 or earlier should prioritize updating the plugin immediately to a patched version or, if no patch is available, consider temporarily disabling or removing the plugin until a fix is released.