CVE-2024-13390 is a stored cross-site scripting vulnerability identified in the giuliopanda ADFO – Custom data in admin dashboard WordPress plugin, specifically in all versions up to and including 1.9.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied attributes in the 'adfo_list' shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages rendered by the plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions within the WordPress environment. The vulnerability does not require user interaction beyond visiting the injected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or known exploits have been reported yet, but the risk remains significant given the common use of WordPress and the plugin’s administrative context. The vulnerability highlights the importance of strict input validation and output encoding in plugins handling user-generated content, especially in administrative dashboards where elevated privileges exist.

The impact of CVE-2024-13390 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the context of other users, including administrators. This can lead to session hijacking, credential theft, unauthorized administrative actions, and potential site defacement or redirection. While availability is not directly affected, the compromise of administrative accounts or site integrity can cause significant operational disruption. Organizations relying on this plugin risk unauthorized access escalation and data leakage, particularly if administrators or editors access the injected pages. The vulnerability could also facilitate further attacks such as malware distribution or lateral movement within the site’s infrastructure. Given WordPress’s widespread use globally, the threat could affect numerous organizations, especially those with multiple contributors and less stringent access controls. The absence of known exploits currently reduces immediate risk, but the medium severity score and ease of exploitation by authenticated users make timely remediation critical.

To mitigate CVE-2024-13390, organizations should first update the ADFO – Custom data in admin dashboard plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level privileges to trusted users only, minimizing the risk of malicious script injection. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script payloads in shortcode attributes can provide interim protection. Additionally, site administrators should audit existing content for injected scripts and remove any suspicious entries. Enforcing strict input validation and output encoding within the plugin’s codebase is essential to prevent future occurrences. Monitoring user activity logs for unusual behavior in the admin dashboard can help detect exploitation attempts early. Employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Finally, educating contributors about secure content practices and the risks of injecting untrusted code is recommended to reduce inadvertent exploitation.