CVE-2024-13387 is a stored cross-site scripting (XSS) vulnerability identified in the WP Responsive Tabs plugin for WordPress, affecting all versions up to and including 1.2.9. The root cause is insufficient sanitization and output escaping of user-supplied attributes within the plugin's 'wprtabs' shortcode. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently in the WordPress database, it executes every time a user accesses the infected page, potentially compromising the confidentiality and integrity of user sessions or data. The vulnerability does not require user interaction beyond visiting the infected page and does not affect availability. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other components beyond the plugin itself. No known exploits are currently reported in the wild, but the vulnerability poses a risk especially in multi-user WordPress environments where contributors can add content. The lack of a patch link suggests that users must monitor vendor updates or apply manual mitigations. This vulnerability falls under CWE-79, a common and impactful web security weakness.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can lead to unauthorized script execution in the context of the victim's browser. This can result in theft of session cookies, user impersonation, defacement, or redirection to malicious sites, thereby compromising confidentiality and integrity of user data. Since the vulnerability requires contributor-level access, attackers must first gain or already have authenticated access, limiting exposure somewhat. However, in environments with multiple contributors or less restrictive access controls, the risk increases. The scope change indicated by the CVSS score means the vulnerability can affect other components or users beyond the plugin itself, potentially impacting site administrators and visitors. Although availability is not directly affected, the reputational damage and loss of user trust from successful exploitation can be significant. Organizations relying on this plugin for content presentation on WordPress sites face risks of data leakage and unauthorized actions if the vulnerability is exploited.

To mitigate CVE-2024-13387, organizations should first check for and apply any official patches or updates from the WP Responsive Tabs plugin vendor as soon as they become available. In the absence of an official patch, administrators should consider temporarily disabling the plugin or removing the 'wprtabs' shortcode usage from content. Restrict contributor-level access to trusted users only, and audit existing content for injected scripts. Implement web application firewalls (WAFs) with rules to detect and block malicious script payloads targeting the shortcode parameters. Additionally, site administrators can harden the plugin code by adding robust input validation and output escaping functions for all user-supplied attributes in the shortcode. Regular security scanning and monitoring for unusual script injections or anomalous user behavior can help detect exploitation attempts early. Educating contributors about safe content practices and limiting plugin usage to trusted environments further reduces risk.