CVE-2024-13055: 
WordPress vulnerability analysis and mitigation

The Dyn Business Panel WordPress plugin through version 1.0.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-13055. The vulnerability was discovered by Hassan Khan Yusufzai (Splint3r7) and publicly disclosed on January 6, 2025. The issue affects high-privilege users such as administrators (WPScan).

The vulnerability stems from improper parameter sanitization and escaping before output rendering in the page. The CVSS v3.1 score is 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited through a specially crafted URL targeting the plugin's admin interface (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of high-privilege users' browsers, potentially leading to account compromise or unauthorized actions being performed with administrative privileges (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the Dyn Business Panel plugin should consider either removing the plugin or implementing additional security controls until a patch is released (WPScan).