CVE-2024-13349 identifies a stored cross-site scripting (XSS) vulnerability in the Stockdio Historical Chart plugin for WordPress, which is widely used to display historical stock data via shortcode integration. The vulnerability exists in all versions up to and including 2.8.18 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes passed through the 'stockdio-historical-chart' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the injected scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the WordPress site context. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based, with low attack complexity and privileges required, and the scope is changed as the vulnerability can affect other users beyond the attacker. No patches or official fixes are currently linked, and no known exploits have been observed in the wild, but the risk remains significant due to the plugin’s popularity and the ease of exploitation by authenticated users.

The impact of CVE-2024-13349 on organizations can be substantial, especially for those relying on the Stockdio Historical Chart plugin to display financial or stock market data on WordPress sites. Exploitation allows authenticated contributors or higher to inject malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of session cookies, unauthorized actions such as content modification or privilege escalation, and potential compromise of user accounts. For organizations with multiple content contributors, the risk is elevated as attackers only need contributor-level access, which is commonly granted. The vulnerability undermines the integrity and confidentiality of the affected websites and their users. While availability is not directly impacted, the reputational damage and potential data breaches resulting from exploitation can be severe. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the organization’s web infrastructure. Given the widespread use of WordPress globally, the threat has a broad potential impact, particularly for financial services, investment firms, and business websites that utilize this plugin.

To mitigate CVE-2024-13349, organizations should first check for and apply any official patches or updates from the Stockdio plugin vendor as they become available. In the absence of an immediate patch, administrators should restrict contributor-level permissions to trusted users only and audit existing contributors for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'stockdio-historical-chart' shortcode parameters can provide interim protection. Additionally, site administrators should enable Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly scanning WordPress sites with security plugins that detect XSS payloads or anomalous shortcode usage is recommended. Reviewing and sanitizing all user-generated content before publishing, and educating contributors about safe content practices, will also reduce risk. Finally, monitoring logs for unusual shortcode usage or script injection attempts can help detect exploitation attempts early.