CVE-2024-13667 in Uncode Plugin
Summary
by MITRE • 02/18/2025
The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2025
The vulnerability identified as CVE-2024-13667 affects the Uncode theme for WordPress, presenting a critical stored cross-site scripting flaw that has significant implications for website security. This vulnerability exists in all versions up to and including 2.9.1.6, making it a widespread concern for WordPress users who have implemented this particular theme. The flaw specifically resides in the handling of the 'mle-description' parameter, which demonstrates poor input validation and output escaping mechanisms that are fundamental to preventing XSS attacks in web applications.
The technical implementation of this vulnerability stems from insufficient sanitization of user input within the theme's codebase. When authenticated users with subscriber-level access or higher submit content containing malicious scripts through the 'mle-description' parameter, the theme fails to properly sanitize this input before storing it in the database. Additionally, the theme does not implement adequate output escaping when rendering this stored content, creating a persistent XSS vector that can affect any user who accesses pages containing the injected scripts. This represents a classic stored XSS vulnerability pattern where malicious code is stored on the server and executed in the context of other users' browsers.
The operational impact of this vulnerability is particularly concerning given the low privilege level required to exploit it. Attackers only need subscriber-level access to the WordPress site to carry out this attack, which means that even relatively low-privilege users can potentially compromise the security of higher-privilege accounts. When victims access pages containing the malicious scripts, the injected code executes in their browsers, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The stored nature of this vulnerability means that the malicious scripts persist indefinitely until manually removed, creating an ongoing security risk that can affect multiple users over extended periods.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and it maps to ATT&CK technique T1566.001 for credential access through social engineering. The vulnerability also demonstrates poor input validation practices that violate security best practices outlined in the OWASP Top Ten. Organizations should prioritize immediate remediation by updating to the latest version of the Uncode theme where this vulnerability has been patched. Additionally, administrators should implement additional monitoring for suspicious content submissions and consider implementing content security policies to mitigate potential exploitation. The vulnerability serves as a reminder of the critical importance of input sanitization and output escaping in web application security, particularly within content management systems where user-generated content is prevalent.