The Weber – Free Sign Up Form and Landing Page Builder plugin for WordPress is designed to facilitate email marketing, lead generation, and newsletter management. It allows users to create and embed sign-up forms, automate email campaigns, and integrate various marketing tools seamlessly. However, a critical security vulnerability, CVE-2024-13313, was identified in versions below 7.3.21, allowing Stored Cross-Site Scripting (XSS) attacks. This article explores the discovery, exploitation, and mitigation of this vulnerability.
| CVE | CVE-2024-13313 |
| Plugin | AWeber < 7.3.21 |
| Critical | High |
| All Time | 686 848 |
| Active installations | 10 000+ |
| Publicly Published | April 04, 2025 |
| Last Updated | April 04, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://wpscan.com/vulnerability/cc35b2f4-f1f1-4ed3-91b2-025bd5848b29/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13313 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 27, 2024 | Plugin testing and vulnerability detection in the AWeber have been completed |
| December 27, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 04, 2025 | Registered CVE-2024-13313 |
Discovery of the Vulnerability
CVE-2024-13313 was discovered during a security assessment of the Weber – Free Sign Up Form and Landing Page Builder plugin. The vulnerability exists within the subscriber management functionality, specifically in the “Add Subscriber to:”, “Add Tags,” “Subscription Label,” and “Add Subscriber to” fields under the plugin’s settings. The flaw arises from the plugin’s failure to properly sanitize and validate user input in these fields, allowing attackers to inject arbitrary HTML and JavaScript. Since the injected script is stored in the database, it executes whenever an administrator or another user interacts with the affected settings page. This lack of input sanitization enables attackers to exploit stored XSS, potentially leading to session hijacking, phishing attacks, or unauthorized administrative actions.
Understanding of XSS attack’s
Stored XSS occurs when an attacker injects malicious scripts into a web application that are later executed when accessed by users. Unlike Reflected XSS, where the script is executed immediately upon submission, Stored XSS is more severe because the payload remains in the system and can affect multiple users over time.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13313:
POC:
1) Register an account on AWeber 2) Authenticate the account by entering the authentication code into the WordPress plugin 3) Navigate to the Settings tab. 4) Insert a malicious payload into the "Add Subscriber to:", "Add Tags", "Subscription Label", or "Add Subscriber to" fields. 5) Save the settings and trigger the execution of the injected script whenever the data is rendered in the admin interface.____
In the case of CVE-2024-13313, these payloads can be stored in subscriber management fields and executed when the administrator interacts with the settings panel.
Recommendations for Improved Security
Administrators using the Weber – Free Sign Up Form and Landing Page Builder plugin should immediately update to the latest patched version as soon as one becomes available. Until then, it is advisable to restrict access to the plugin’s settings and monitor any unauthorized modifications to subscriber-related fields. Developers must implement strict input validation and output escaping, particularly in fields that store user input and interact with JavaScript execution. Using functions like esc_attr(), wp_kses(), and sanitize_text_field() can help mitigate these risks. Site owners should also consider deploying a Web Application Firewall (WAF) and conducting regular security scans to detect XSS and other injection vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13313, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.