CVE-2024-13393 is a stored cross-site scripting (XSS) vulnerability identified in the Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress, affecting all versions up to and including 2.6.31. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'videowhisper_videos' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or manipulating page content. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple users have contributor or higher access. The plugin is widely used for video content management on WordPress sites, increasing the attack surface. The vulnerability was published on January 18, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2024-13393 is the potential compromise of user confidentiality and integrity on affected WordPress sites using the vulnerable Video Share VOD plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the context of other users, including administrators and site visitors. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and defacement or manipulation of site content. Although availability is not directly affected, the trustworthiness and security posture of the affected websites can be severely damaged. Organizations relying on this plugin for video content delivery may face reputational damage, data breaches, and regulatory compliance issues, especially if sensitive user data is exposed. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low privilege level needed broadens the risk. The vulnerability is particularly concerning for multi-user WordPress environments such as media companies, educational platforms, and community sites where contributor roles are common.

To mitigate CVE-2024-13393, organizations should first verify if they use the Video Share VOD – Turnkey Video Site Builder Script plugin and identify the version in use. Since no official patch links are currently available, immediate steps include restricting contributor-level access and above to trusted users only, minimizing the number of users with such privileges. Implement strict input validation and output encoding for all user-supplied data in the 'videowhisper_videos' shortcode, either by applying custom code filters or using security plugins that enforce sanitization. Employ a Web Application Firewall (WAF) with rules targeting XSS payloads to detect and block malicious requests. Regularly audit user-generated content for injected scripts and remove any suspicious entries. Monitor logs for unusual activity from contributor accounts. Educate site administrators and users about the risks of XSS and the importance of least privilege principles. Once an official patch is released, apply it promptly. Additionally, consider isolating the plugin usage to subdomains or sandboxed environments to limit potential impact.