CVE-2024-13350 is a stored cross-site scripting (XSS) vulnerability identified in the SearchIQ – The Search Solution plugin for WordPress, affecting all versions up to and including 4.7. The flaw exists due to insufficient sanitization and output escaping of user-supplied attributes in the 'siq_searchbox' shortcode. Authenticated attackers with contributor-level access or higher can exploit this vulnerability by injecting malicious JavaScript code into pages via the shortcode parameters. Because the injected scripts are stored persistently, they execute whenever any user visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is network exploitable without user interaction, with low attack complexity, but requires authenticated access with contributor or higher privileges. The scope is considered changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. The CVSS 3.1 base score is 6.4 (medium severity), reflecting limited confidentiality and integrity impacts but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors. The lack of a patch at the time of publication necessitates immediate mitigation steps to reduce exposure.

The primary impact of CVE-2024-13350 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, leading to stored XSS attacks. This can compromise the confidentiality and integrity of user data by enabling session hijacking, credential theft, or unauthorized actions performed in the context of other users, including administrators. Although availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations with multi-user WordPress environments are particularly at risk, as contributor roles are common for content creation. The vulnerability could facilitate lateral movement within the site, privilege escalation, or distribution of malware to site visitors. Given WordPress’s widespread use globally, the threat could impact a broad range of sectors, including e-commerce, media, education, and government websites. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is straightforward to exploit for authenticated users. Failure to address this vulnerability could lead to data breaches, loss of user trust, and regulatory penalties in jurisdictions with strict data protection laws.

1. Immediately restrict contributor-level user permissions to trusted individuals only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output encoding for all user-supplied data, especially in shortcode attributes, to prevent injection of executable scripts. 3. Monitor WordPress logs and content for suspicious shortcode usage or unexpected script tags. 4. Disable or remove the SearchIQ plugin if it is not essential to reduce the attack surface until a security patch is released. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject or execute malicious scripts via the vulnerable shortcode. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Regularly back up website data to enable quick restoration in case of compromise. 8. Stay updated with vendor announcements for patches or security updates and apply them promptly once available. 9. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 10. Conduct periodic security audits and penetration testing focusing on user input handling and plugin vulnerabilities.