{"id":"CVE-2024-13574","details":"The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.","modified":"2026-03-14T12:24:46.632103Z","published":"2025-03-11T06:15:25.680Z","references":[{"type":"EVIDENCE","url":"https://wpscan.com/vulnerability/7eb9ef20-5d34-425e-b7fc-38a769d0a822/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xavivars/xv-random-quotes","events":[{"introduced":"0"},{"last_affected":"383bc42962e2f9f678cbd7f9a42901dee60a514a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.40"}]}}],"versions":["1.0","1.1","1.10","1.11","1.12","1.2","1.20","1.21","1.22","1.24","1.25","1.26","1.27","1.28","1.29","1.3","1.30","1.31","1.32","1.34","1.35","1.36","1.37","1.38","1.40","1.48","1.50","1.51","1.52","1.53","1.6","1.6.2","1.6.3","1.6.4","1.7","1.7.1","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.7.9","1.7.9_fix","1.8.1","1.8.2","1.8.3","1.8.5","1.8.6","1.8.9","1.9.0","1.9.2","1.9.4","1.9.5","1.9.6","1.9.7","1.9.9","1.9.9z3","StrayQuotesZ","XV-Random-Quotes"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-13574.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}]}