CVE-2024-13395 is a stored cross-site scripting vulnerability identified in the Threepress plugin for WordPress, developed by kerryoco. The vulnerability exists in all versions up to and including 1.7.1 due to improper neutralization of input during web page generation, specifically in the handling of the 'threepress' shortcode's user-supplied attributes. The plugin fails to adequately sanitize and escape input, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executes in the context of any user who views the infected page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authentication at contributor level or above, but no user interaction is needed to trigger the payload once stored. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and partial confidentiality and integrity impact, but no availability impact. No public exploits have been reported yet, but the vulnerability's nature makes it a candidate for exploitation in targeted attacks. The scope is limited to websites using the Threepress plugin, which is a niche WordPress plugin, but the risk is significant for affected sites. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugin development to prevent XSS attacks.

The primary impact of CVE-2024-13395 is the compromise of confidentiality and integrity on affected WordPress sites. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access, data leakage, and reputational damage. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who access the compromised page. Although availability is not directly impacted, the indirect effects of exploitation—such as site defacement or administrative account compromise—can disrupt normal operations. Organizations relying on the Threepress plugin for content presentation are at risk, especially those with multiple contributors. The medium CVSS score reflects moderate severity, but the ease of exploitation by authenticated users and the persistent nature of the attack increase the threat level. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability should be addressed promptly to prevent future attacks.

To mitigate CVE-2024-13395, organizations should first monitor for and apply any official patches or updates released by the Threepress plugin developers as soon as they become available. Until a patch is released, restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implement strict content moderation policies for user-generated content that uses the 'threepress' shortcode. Employ a Web Application Firewall (WAF) with robust XSS detection and blocking capabilities to intercept malicious payloads before they reach end users. Additionally, use security plugins that enforce output encoding and input validation on WordPress sites. Conduct regular security audits of installed plugins to identify and remediate vulnerabilities promptly. Educate contributors about the risks of injecting untrusted content and encourage reporting of suspicious behavior. Finally, consider disabling or replacing the Threepress plugin if it is not essential to reduce the attack surface.