CVE-2024-13392 is a stored cross-site scripting vulnerability identified in the 'Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings' WordPress plugin developed by videowhisper. The flaw exists in all versions up to and including 1.6.3 and stems from insufficient sanitization and escaping of user-supplied input passed through the 'videowhisper_reviews' shortcode. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who views the affected page. This vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. Potential impacts include session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and site defacement. No public exploits have been reported yet, but the vulnerability is publicly disclosed and documented. The plugin is used in WordPress environments, which are widely deployed globally, making the threat relevant to many organizations running WordPress sites with this plugin installed. The vulnerability highlights the need for proper input validation and output encoding in web applications, especially for plugins that accept user-generated content. Since no patch links are currently available, mitigation relies on access control, monitoring, and web application firewall rules until an official update is released.

The impact of CVE-2024-13392 is significant for organizations running WordPress sites with the vulnerable plugin installed. Successful exploitation allows authenticated contributors or higher to inject persistent malicious scripts that execute in the browsers of any visitors to the compromised pages. This can lead to session hijacking, enabling attackers to impersonate legitimate users, including administrators, potentially resulting in full site takeover. It can also facilitate theft of sensitive user data, unauthorized actions such as content manipulation or privilege escalation, and damage to organizational reputation through defacement or distribution of malware. The vulnerability affects confidentiality and integrity but not availability directly. Because the attack requires contributor-level access, the risk is somewhat mitigated by proper user role management; however, many WordPress sites allow contributors or similar roles, increasing exposure. The widespread use of WordPress globally means a large attack surface, and targeted attacks against high-value sites using this plugin could have serious consequences. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits following public disclosure.

1. Monitor for and apply any official patches or updates released by videowhisper for the Rate Star Review Vote plugin as soon as they become available. 2. Restrict contributor-level and higher privileges strictly to trusted users to reduce the risk of malicious script injection. 3. Implement a web application firewall (WAF) with rules designed to detect and block typical XSS payloads, especially those targeting the 'videowhisper_reviews' shortcode parameters. 4. Conduct regular security audits of user-generated content and shortcode usage to identify suspicious or anomalous inputs. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Consider temporarily disabling or removing the vulnerable plugin if patching is not immediately possible, especially on high-risk or public-facing sites. 7. Educate site administrators and contributors about the risks of XSS and safe content submission practices. 8. Use security plugins that sanitize and validate inputs on WordPress sites to provide an additional layer of defense. These measures collectively reduce the likelihood and impact of exploitation until a secure plugin version is deployed.