CVE-2024-13385 identifies a stored cross-site scripting (XSS) vulnerability in the JSM Screenshot Machine Shortcode plugin for WordPress, affecting all versions up to and including 2.3.0. The flaw stems from insufficient sanitization and escaping of user input in the 'ssm' shortcode attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user WordPress environments where contributors can post content. The lack of output escaping in shortcode attributes is a common vector for stored XSS in WordPress plugins, emphasizing the need for secure coding practices. The vulnerability was published on January 18, 2025, and assigned by Wordfence.

This vulnerability can lead to unauthorized script execution within the context of affected WordPress sites, compromising user sessions, stealing sensitive information, or performing actions on behalf of users without their consent. For organizations, this can result in data breaches, defacement, loss of user trust, and potential regulatory penalties if personal data is exposed. Since the exploit requires contributor-level access, attackers might leverage compromised or malicious user accounts to inject scripts. The stored nature of the XSS means the malicious payload persists and affects all visitors to the infected pages, increasing the attack surface. The integrity of site content and confidentiality of user data are primarily at risk, while availability remains unaffected. This vulnerability is particularly dangerous for sites with many authenticated users or those that allow user-generated content. Although no known exploits exist currently, the medium severity and ease of exploitation with low complexity suggest attackers could develop exploits quickly once the vulnerability is public knowledge.

Organizations should immediately update the JSM Screenshot Machine Shortcode plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script patterns in shortcode attributes can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of XSS. Developers maintaining the plugin should apply proper input validation, sanitization, and output escaping on all user-supplied shortcode attributes following WordPress security best practices. Regular security scanning and monitoring for unusual script injections or user behavior can help detect exploitation attempts early. Backup procedures should be reviewed to ensure quick recovery from potential compromises.