CVE-2024-13340 is a stored cross-site scripting (XSS) vulnerability identified in the MDTF – Meta Data and Taxonomies Filter plugin for WordPress, maintained by realmag777. The vulnerability exists in all versions up to and including 1.3.3.6, specifically within the 'mdf_results_by_ajax' shortcode functionality. The root cause is improper neutralization of input (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before being rendered on web pages. This allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who accesses the affected page. Because the vulnerability requires authentication at the contributor level, it limits exploitation to users who already have some level of access, but it does not require administrative privileges. The attack vector is network-based with low attack complexity and no user interaction is needed beyond page access. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of users. Availability is not impacted. The CVSS 3.1 score of 6.4 reflects a medium severity rating, with a vector indicating network attack vector, low complexity, privileges required, no user interaction, and scope changed due to the ability to affect other users. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those allowing contributor-level access to untrusted users.

The primary impact of CVE-2024-13340 is the potential compromise of user confidentiality and integrity on affected WordPress sites. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed with the victim's privileges. This can facilitate further privilege escalation or site defacement. Although availability is not directly affected, the trustworthiness and security posture of the affected website can be severely damaged. Organizations relying on this plugin for content filtering or taxonomy management may face reputational harm and increased risk of data breaches. The vulnerability is particularly concerning for sites with multiple contributors or where contributor accounts may be compromised or created by malicious actors. Since exploitation requires authenticated access, the risk is somewhat mitigated but remains significant in environments with less stringent user access controls.

To mitigate CVE-2024-13340, organizations should immediately update the MDTF – Meta Data and Taxonomies Filter plugin to a version that addresses this vulnerability once available. In the absence of an official patch, site administrators should restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'mdf_results_by_ajax' shortcode parameters can provide temporary protection. Additionally, applying strict input validation and output encoding on user-supplied data within the plugin's shortcode processing code is critical; developers can implement custom filters or hooks to sanitize inputs if patching is delayed. Regularly monitoring logs for unusual activity and conducting security audits on user permissions will help detect exploitation attempts. Finally, educating contributors about secure content practices and the risks of injecting untrusted code can reduce the likelihood of exploitation.