CVE-2024-13508: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in masaakitanaka Booking Package
CVE-2024-13508 is a reflected Cross-Site Scripting (XSS) vulnerability in the Booking Package WordPress plugin by masaakitanaka, affecting all versions up to 1. 6. 72. The flaw arises from improper sanitization and escaping of the 'locale' parameter, allowing unauthenticated attackers to inject malicious scripts. Exploitation requires tricking a user into clicking a crafted link, leading to script execution in the victim's browser. This vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS score is 6. 1 (medium severity), reflecting ease of exploitation without authentication but requiring user interaction. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or applying mitigations to prevent potential phishing or session hijacking attacks.
AI Analysis
Technical Summary
CVE-2024-13508 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Booking Package plugin for WordPress, developed by masaakitanaka. The vulnerability exists in all versions up to and including 1.6.72 due to insufficient input sanitization and output escaping of the 'locale' parameter. This parameter is used during web page generation, and because it is not properly neutralized, an attacker can craft a malicious URL containing executable JavaScript code. When a victim clicks on such a link, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a link). The CVSS 3.1 base score is 6.1, indicating a medium severity level with low attack complexity and no privileges required. The scope is changed because the vulnerability affects the user’s browser environment rather than the server directly. No patches or exploit code are currently publicly available, but the risk remains significant for websites using this plugin, especially those handling sensitive user data or financial transactions.
Potential Impact
The primary impact of this vulnerability is on the confidentiality and integrity of user data. Attackers can execute arbitrary scripts in the context of the affected website, potentially stealing session tokens, cookies, or other sensitive information. This can lead to account hijacking, unauthorized actions performed on behalf of users, and phishing attacks. Although availability is not directly impacted, the trustworthiness of the affected website can be severely damaged, leading to reputational harm and loss of customer confidence. Organizations relying on the Booking Package plugin for booking or e-commerce functionalities may face increased risk of targeted attacks against their users. The vulnerability's requirement for user interaction limits mass exploitation but does not eliminate the risk, especially in phishing-prone environments.
Mitigation Recommendations
1. Immediately update the Booking Package plugin to a patched version once released by the vendor. Monitor official channels for updates. 2. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'locale' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 4. Sanitize and validate all user inputs on the server side, especially parameters used in page generation, to ensure they do not contain executable code. 5. Educate users and staff about phishing risks and the dangers of clicking on untrusted links. 6. Regularly audit and monitor web server logs for unusual request patterns targeting the 'locale' parameter. 7. Consider disabling or restricting the use of the vulnerable plugin if immediate patching is not feasible, especially on high-risk sites.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, India, France, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-13508: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in masaakitanaka Booking Package
Description
CVE-2024-13508 is a reflected Cross-Site Scripting (XSS) vulnerability in the Booking Package WordPress plugin by masaakitanaka, affecting all versions up to 1. 6. 72. The flaw arises from improper sanitization and escaping of the 'locale' parameter, allowing unauthenticated attackers to inject malicious scripts. Exploitation requires tricking a user into clicking a crafted link, leading to script execution in the victim's browser. This vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS score is 6. 1 (medium severity), reflecting ease of exploitation without authentication but requiring user interaction. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or applying mitigations to prevent potential phishing or session hijacking attacks.
AI-Powered Analysis
Technical Analysis
CVE-2024-13508 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Booking Package plugin for WordPress, developed by masaakitanaka. The vulnerability exists in all versions up to and including 1.6.72 due to insufficient input sanitization and output escaping of the 'locale' parameter. This parameter is used during web page generation, and because it is not properly neutralized, an attacker can craft a malicious URL containing executable JavaScript code. When a victim clicks on such a link, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a link). The CVSS 3.1 base score is 6.1, indicating a medium severity level with low attack complexity and no privileges required. The scope is changed because the vulnerability affects the user’s browser environment rather than the server directly. No patches or exploit code are currently publicly available, but the risk remains significant for websites using this plugin, especially those handling sensitive user data or financial transactions.
Potential Impact
The primary impact of this vulnerability is on the confidentiality and integrity of user data. Attackers can execute arbitrary scripts in the context of the affected website, potentially stealing session tokens, cookies, or other sensitive information. This can lead to account hijacking, unauthorized actions performed on behalf of users, and phishing attacks. Although availability is not directly impacted, the trustworthiness of the affected website can be severely damaged, leading to reputational harm and loss of customer confidence. Organizations relying on the Booking Package plugin for booking or e-commerce functionalities may face increased risk of targeted attacks against their users. The vulnerability's requirement for user interaction limits mass exploitation but does not eliminate the risk, especially in phishing-prone environments.
Mitigation Recommendations
1. Immediately update the Booking Package plugin to a patched version once released by the vendor. Monitor official channels for updates. 2. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'locale' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 4. Sanitize and validate all user inputs on the server side, especially parameters used in page generation, to ensure they do not contain executable code. 5. Educate users and staff about phishing risks and the dangers of clicking on untrusted links. 6. Regularly audit and monitor web server logs for unusual request patterns targeting the 'locale' parameter. 7. Consider disabling or restricting the use of the vulnerable plugin if immediate patching is not feasible, especially on high-risk sites.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-17T13:56:34.280Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e5cb7ef31ef0b59eec3
Added to database: 2/25/2026, 9:49:16 PM
Last enriched: 2/26/2026, 12:29:33 AM
Last updated: 2/26/2026, 8:08:59 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighFinding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th)
MediumCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.