CVE-2024-13313 is a medium-severity vulnerability identified in the AWeber WordPress plugin, specifically in versions up to 7.3.20. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79), which arises because the plugin fails to properly sanitize and escape certain settings. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML content. The CVSS 3.1 base score for this vulnerability is 4.8, reflecting a medium severity level. The vector indicates that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), requires high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the security scope of the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability was reserved in January 2025 and published in May 2025 by WPScan. Since the vulnerability requires high privileges and user interaction, it is primarily a risk from insider threats or compromised admin accounts, potentially allowing attackers to execute malicious scripts in the context of the affected WordPress site, leading to session hijacking, defacement, or further privilege escalation.

For European organizations using the AWeber WordPress plugin, this vulnerability poses a moderate risk. Since exploitation requires administrative privileges and user interaction, the threat is mainly from malicious insiders or attackers who have already compromised admin accounts. Successful exploitation could lead to unauthorized script execution within the administrative interface, potentially enabling attackers to steal sensitive information, manipulate site content, or pivot to other parts of the network. This can undermine the integrity and confidentiality of organizational data and damage the reputation of affected entities. Given the widespread use of WordPress across European businesses, especially in marketing and communications, organizations relying on the AWeber plugin for email marketing or customer engagement could see disruptions or data leakage. Multisite WordPress setups, common in larger enterprises or agencies managing multiple sites, are particularly at risk since the vulnerability bypasses the usual unfiltered_html restrictions. However, the lack of known exploits and the medium severity score suggest that immediate widespread impact is limited but should not be ignored.

European organizations should take proactive steps to mitigate this vulnerability beyond generic patching advice. First, restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Conduct thorough audits of user privileges to ensure no unnecessary admin rights are granted. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting the execution of unauthorized scripts. Monitor WordPress logs and plugin settings changes for suspicious activity that could indicate exploitation attempts. Since no official patch is currently linked, organizations should consider temporarily disabling or replacing the AWeber plugin until a secure update is released. Additionally, educate administrators about the risks of executing untrusted content and the importance of safe plugin management. Employ web application firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the plugin’s settings. Finally, maintain regular backups of WordPress sites to enable quick recovery if exploitation occurs.