CVE-2024-13380 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Alex Reservations: Smart Restaurant Booking plugin for WordPress, affecting all versions up to and including 2.0.5. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'rr_form' shortcode attributes. The plugin fails to adequately sanitize and escape user-supplied input, allowing authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The attack vector is remote over the network, with low complexity, requiring no user interaction but limited to authenticated users with certain privileges. The vulnerability impacts confidentiality and integrity but not availability, and the scope is changed as it affects multiple users viewing the injected content. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability was published on January 30, 2025, with a CVSS 3.1 base score of 6.4, categorized as medium severity. The plugin is used primarily in restaurant booking contexts on WordPress sites, which are widely deployed globally.

The primary impact of CVE-2024-13380 is the compromise of user confidentiality and integrity on affected WordPress sites using the Alex Reservations plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and customers. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory consequences if personal data is exposed. Since the vulnerability requires authenticated access at contributor level or above, the risk is heightened in environments where multiple users have elevated privileges or where contributor accounts are not tightly controlled. The scope of impact extends to all users who visit the compromised pages, potentially affecting a broad audience. Although no known exploits are currently reported, the medium severity score and ease of exploitation suggest that attackers could develop exploits rapidly, especially in the absence of patches.

To mitigate CVE-2024-13380, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of official patches, administrators should restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious input injection. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'rr_form' shortcode can provide interim protection. Site owners should audit existing content generated by the plugin for suspicious scripts and remove any unauthorized code. Employing Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Additionally, hardening WordPress security by enforcing strong authentication, limiting plugin usage, and monitoring user activity can reduce the attack surface. Developers maintaining the plugin should implement proper input validation, sanitization, and output escaping for all user-supplied attributes in shortcodes to prevent future XSS vulnerabilities.