CVE-2024-13323 is a stored cross-site scripting (XSS) vulnerability identified in the WP Booking Calendar plugin for WordPress, affecting all versions up to and including 10.9.2. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of the 'booking' shortcode attributes. The plugin fails to adequately sanitize and escape user-supplied input, allowing an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript code into pages. Once injected, this malicious script executes in the context of any user who visits the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires authentication but no additional user interaction to trigger, and it affects the confidentiality and integrity of the affected systems. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that process user-generated content or attributes.

The impact of CVE-2024-13323 is primarily on the confidentiality and integrity of WordPress sites using the WP Booking Calendar plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of site visitors, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of legitimate users. Since the vulnerability requires contributor-level authentication, attackers must first compromise or register an account with sufficient privileges, which may be feasible on sites allowing user registrations. The scope of affected systems includes all WordPress installations using the vulnerable plugin versions, which could be significant given the popularity of WordPress and its plugins. Although availability is not directly impacted, the compromise of site integrity and user trust can have severe reputational and operational consequences. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the WordPress environment or pivot to other internal systems. Organizations relying on this plugin for booking functionalities may face disruptions or data breaches if the vulnerability is exploited.

To mitigate CVE-2024-13323, organizations should first check for and apply any official patches or updates released by the WP Booking Calendar plugin developers once available. In the absence of patches, administrators should consider temporarily disabling the plugin or removing the 'booking' shortcode from pages to prevent exploitation. Restricting user registration and limiting contributor-level privileges to trusted users can reduce the risk of attacker access. Implementing a web application firewall (WAF) with rules to detect and block malicious script injections targeting the plugin's shortcode parameters can provide additional protection. Site administrators should also enforce strict content security policies (CSP) to limit the execution of unauthorized scripts. Regularly auditing user accounts and monitoring logs for suspicious activity related to the plugin can help detect exploitation attempts early. Finally, educating users and administrators about the risks of XSS and the importance of privilege management is critical to reducing attack surface.