CVE-2024-13878: 
WordPress vulnerability analysis and mitigation

The SpotBot WordPress plugin through version 0.1.8 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-13878. The vulnerability was discovered and reported by Hassan Khan Yusufzai (Splint3r7) and was publicly disclosed on February 26, 2025. The issue affects the plugin's parameter handling functionality, which could potentially be exploited against high-privilege users such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in the page. The CVSS v3.1 base score for this vulnerability is 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited through the admin interface using a specifically crafted URL (NVD).

When successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of high-privilege users' browsers, potentially leading to unauthorized actions and data exposure. The vulnerability specifically affects administrative users of WordPress installations running the vulnerable version of the SpotBot plugin (WPScan).

Currently, there is no known fix available for this vulnerability in the SpotBot WordPress plugin. Users are advised to consider removing or disabling the plugin until a security patch is released (WPScan).