CVE-2024-13397 is a stored cross-site scripting vulnerability identified in the WPRadio – WordPress Radio Streaming Plugin, a plugin used to stream radio content on WordPress sites. The vulnerability exists due to insufficient sanitization and escaping of user input in the 'wpradio_player' shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability affects all versions up to and including 1.0.4. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, privileges required (low), no user interaction, and scope changed (affecting components beyond the vulnerable plugin). While no public exploits are currently known, the vulnerability poses a significant risk because contributor-level users are commonly available on many WordPress sites, and stored XSS can be leveraged for persistent attacks. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts. It can also facilitate defacement, phishing, or distribution of malware through the compromised site. Since the vulnerability requires authenticated access, the attack surface is somewhat limited; however, contributor roles are common on many WordPress sites, increasing risk. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the immediate plugin, potentially impacting site integrity and user trust. Organizations relying on this plugin for streaming services may face reputational damage, data breaches, and increased risk of further exploitation if attackers leverage this vulnerability as a foothold. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate future risk, especially as exploit code could be developed and shared rapidly once the vulnerability is publicized.

Organizations should immediately audit their WordPress installations to identify the presence of the WPRadio – WordPress Radio Streaming Plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters can provide temporary protection. Additionally, site administrators can implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitoring logs for unusual activity related to the plugin's shortcode usage is recommended. Once a patch becomes available, prompt updating of the plugin is critical. If patching is delayed, consider disabling or removing the plugin to eliminate the attack vector. Educating users with contributor roles about the risks and monitoring their activity can further reduce exploitation chances.