CVE-2024-13391 is a stored cross-site scripting (XSS) vulnerability identified in the MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet WordPress plugin developed by videowhisper. The vulnerability arises from improper neutralization of input during web page generation, specifically within the 'videowhisper_content_upload_guest' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability affects all versions up to and including 2.9.29. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors and high user traffic. The scope is limited to sites running this plugin, but the impact can be severe if exploited, as it can compromise user sessions and site integrity.

The primary impact of CVE-2024-13391 is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Confidentiality is partially compromised as sensitive user data accessible via the browser can be exposed. Integrity is also affected since attackers can manipulate page content or perform actions with victim user privileges. Availability is not impacted directly. Organizations running this plugin on WordPress sites face risks of reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The risk is heightened in environments with multiple contributors and high user engagement, such as content platforms or subscription-based services. Although no known exploits are currently active in the wild, the vulnerability's ease of exploitation and the widespread use of WordPress make it a credible threat.

To mitigate CVE-2024-13391, organizations should immediately update the MicroPayments – Fans Paysite plugin to a patched version once available. Until a patch is released, administrators should restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'videowhisper_content_upload_guest' shortcode can provide interim protection. Site owners should audit existing content for suspicious scripts or injected code and remove any found. Enforcing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regular security scanning and monitoring for anomalous user behavior or content changes are recommended. Additionally, educating contributors about secure input handling and monitoring plugin updates from the vendor is critical. Backup procedures should be verified to enable quick restoration if exploitation occurs.