CVE-2024-13010 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the WP Foodbakery plugin for WordPress, developed by Chimpstudio. This vulnerability affects all versions up to and including 4.7. The root cause is insufficient sanitization and escaping of the 'search_type' parameter during web page generation, which allows an attacker to inject arbitrary JavaScript code into pages viewed by users. Since the vulnerability is reflected, the malicious script is embedded in a crafted URL or request that, when clicked or visited by a user, executes in the victim's browser context. The attack does not require authentication but does require user interaction, such as clicking a malicious link. The CVSS 3.1 base score is 6.1, reflecting medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, and user interaction needed. The scope is changed because the vulnerability can affect other components or users beyond the initial vulnerable component. The impact affects confidentiality and integrity by potentially allowing theft of sensitive data, session tokens, or performing actions on behalf of the user, but it does not impact availability. No public exploits are currently known, but the vulnerability could be leveraged in phishing campaigns or to escalate attacks within compromised environments. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The vulnerability enables attackers to execute arbitrary scripts in the context of users visiting a vulnerable site, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can facilitate account takeover, privilege escalation, or unauthorized actions performed on behalf of the victim user. For organizations, this can result in data breaches, reputational damage, and compliance violations, especially if customer data is exposed. Since the vulnerability requires user interaction, the impact depends on the success of social engineering efforts. However, given the widespread use of WordPress and the popularity of the WP Foodbakery plugin in e-commerce and restaurant websites, the attack surface is significant. Attackers could use this vulnerability to distribute malware, redirect users to malicious sites, or conduct targeted phishing campaigns. The lack of known exploits in the wild suggests limited active exploitation currently, but the medium severity score indicates a meaningful risk if left unmitigated.

Organizations should immediately update the WP Foodbakery plugin to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding for the 'search_type' parameter to neutralize malicious input. Deploying a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts. Web Application Firewalls (WAFs) should be configured to detect and block suspicious requests containing script payloads targeting the vulnerable parameter. Educate users and administrators about the risks of clicking unknown or suspicious links, especially those that appear to come from trusted sites. Regularly audit and monitor web server logs for unusual query parameters or repeated attempts to exploit this vulnerability. Additionally, consider isolating or sandboxing the plugin's functionality to limit the impact of potential script execution. Finally, maintain a comprehensive incident response plan to quickly address any exploitation attempts.