CVE-2024-13401 is a stored cross-site scripting vulnerability affecting the Payment Button for PayPal plugin for WordPress, specifically in all versions up to and including 1.2.3.35. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'wp_paypal_checkout' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts that utilize this shortcode. Because the malicious script is stored persistently in the WordPress database, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the affected page and has a CVSS 3.1 base score of 6.4, reflecting its medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with no effect on availability. No official patches or fixes have been linked yet, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to theft of authentication cookies, session hijacking, defacement, unauthorized actions performed with victim user privileges, and potential pivoting to further attacks within the WordPress environment. Organizations running websites with this plugin are at risk of reputational damage, data leakage, and unauthorized access. Since contributor-level access is required, the threat is somewhat limited to insiders or compromised accounts with elevated privileges, but the scope includes any user who views the infected content, including administrators. The vulnerability affects confidentiality and integrity but does not impact availability. Given the widespread use of WordPress and PayPal payment buttons, many small to medium businesses and e-commerce sites could be affected globally.

1. Immediately restrict contributor-level and higher access to trusted users only, and audit existing user privileges to reduce risk exposure. 2. Monitor and review all content that uses the 'wp_paypal_checkout' shortcode for suspicious or unauthorized script injections. 3. Apply strict input validation and output escaping manually if patching is not yet available, for example by sanitizing shortcode attributes before rendering. 4. Disable or remove the Payment Button for PayPal plugin until an official patch or update is released. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. 6. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 7. Regularly update WordPress core, plugins, and themes to the latest versions once patches are available. 8. Implement Content Security Policy (CSP) headers to reduce the impact of injected scripts executing in browsers.