Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13696

CVE-2024-13696: WordPress Wishlist Plugin XSS Vulnerability

CVE-2024-13696 is a stored cross-site scripting flaw in the Flexible Wishlist for WooCommerce WordPress plugin that lets unauthenticated attackers inject malicious scripts. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2024-13696 Overview

CVE-2024-13696 is a Stored Cross-Site Scripting (XSS) vulnerability in the Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress. The flaw affects all versions up to and including 1.2.25. The vulnerability stems from insufficient input sanitization and output escaping on the wishlist_name parameter [CWE-79]. Unauthenticated attackers can inject arbitrary web scripts that execute in the browser of any user who accesses an affected page. The issue carries a network attack vector with no privileges or user interaction required.

Critical Impact

Unauthenticated attackers can inject persistent JavaScript payloads through the wishlist_name parameter, leading to session theft, administrative account compromise, and malicious redirects on WooCommerce storefronts.

Affected Products

  • Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress
  • All versions up to and including 1.2.25
  • WooCommerce storefronts using the vulnerable plugin

Discovery Timeline

  • 2025-01-29 - CVE-2024-13696 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-13696

Vulnerability Analysis

The vulnerability is a Stored Cross-Site Scripting flaw classified under [CWE-79]. The plugin accepts user-supplied input through the wishlist_name parameter without applying sufficient input sanitization. The same data is later rendered back to other users without proper output escaping. As a result, attacker-controlled markup and JavaScript persist within the application database and execute in every visitor's browser session.

Because the attack is stored, a single submission affects every user who subsequently loads the injected page. The CVSS scope change indicates the injected payload can affect resources beyond the vulnerable component, including authenticated administrative sessions accessing the wishlist data.

The EPSS score of 0.365% (28th percentile) suggests limited active exploitation at this time. However, WordPress plugin XSS flaws are routinely incorporated into automated scanning toolkits shortly after public disclosure.

Root Cause

The root cause is dual: the plugin fails to sanitize the wishlist_name input on write, and it fails to escape the value when rendering output. Either control would have blocked the attack. WordPress provides standard helpers such as sanitize_text_field() for input handling and esc_html() or esc_attr() for context-appropriate output encoding. The vulnerable code paths bypass these controls. The fix was delivered in WordPress Plugin Changeset #3230370.

Attack Vector

An unauthenticated attacker submits a wishlist creation request with a malicious JavaScript payload supplied as the wishlist_name value. The payload is persisted server-side. When any user, including site administrators, loads a page that renders this wishlist data, the script executes within the browser under the storefront's origin. This enables cookie theft, CSRF token harvesting, account takeover, and arbitrary content modification. Refer to the Wordfence Vulnerability Report and the WordPress Plugin JavaScript File for technical context on the affected code paths.

Detection Methods for CVE-2024-13696

Indicators of Compromise

  • Wishlist records containing HTML tags such as <script>, <img>, <svg>, or event handler attributes like onerror= and onload= in the wishlist_name field
  • Outbound HTTP requests from visitor browsers to attacker-controlled domains originating on wishlist pages
  • Unexpected administrator account creation or privilege changes following wishlist page access
  • Unusual POST requests to wishlist creation endpoints from unauthenticated sources

Detection Strategies

  • Query the WordPress database for wishlist entries containing angle brackets, JavaScript URI schemes, or known XSS payload patterns
  • Inspect web server logs for POST requests carrying suspicious characters in the wishlist_name parameter
  • Deploy a Web Application Firewall (WAF) rule set that identifies common XSS payloads targeting WooCommerce plugin endpoints
  • Monitor browser Content Security Policy (CSP) violation reports for inline script blocks executing on wishlist pages

Monitoring Recommendations

  • Audit installed WordPress plugins against the affected version range <= 1.2.25 of Flexible Wishlist for WooCommerce
  • Correlate administrator session activity with wishlist page visits to identify potential session hijacking
  • Track database write operations against wishlist tables for anomalous payload sizes or character patterns
  • Forward WordPress and webserver logs to a centralized SIEM for retroactive hunting against the disclosure date

How to Mitigate CVE-2024-13696

Immediate Actions Required

  • Update the Flexible Wishlist for WooCommerce plugin to a version newer than 1.2.25 that contains the fix from changeset 3230370
  • Audit existing wishlist records for stored payloads and remove any entries containing executable markup
  • Rotate administrator credentials and active session tokens if exploitation is suspected
  • Review WooCommerce order and user data for unauthorized changes made via hijacked sessions

Patch Information

The vendor released a fix in WordPress Plugin Changeset #3230370. Administrators should upgrade through the WordPress plugin management interface or by deploying the updated package from the WordPress Flexible Wishlist Developers page. Verify the installed version after upgrade to confirm remediation.

Workarounds

  • Disable the Flexible Wishlist for WooCommerce plugin until the patched version can be deployed
  • Deploy a WAF rule that blocks requests containing HTML tags or JavaScript event handlers in the wishlist_name parameter
  • Apply a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
  • Restrict wishlist creation to authenticated users only via access control rules at the reverse proxy layer
bash
# Example WAF rule (ModSecurity) blocking script injection in wishlist_name
SecRule ARGS:wishlist_name "@rx (?i)(<script|onerror=|onload=|javascript:|<svg|<img[^>]+on)" \
    "id:1013696,phase:2,deny,status:403,\
    msg:'CVE-2024-13696 Flexible Wishlist XSS attempt blocked',\
    tag:'CWE-79'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne