CVE-2024-13402 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Buddyboss Platform plugin for WordPress. This vulnerability affects all versions up to and including 2.7.70. The root cause is insufficient input sanitization and output escaping of the 'link_title' parameter, which is used during web page generation. Authenticated attackers with Subscriber-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the vulnerable parameter. Because the payload is stored, the malicious script executes every time any user accesses the infected page, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and scope changed (S:C). No public exploits are currently known, but the vulnerability's presence in a widely used WordPress plugin makes it a significant concern. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. The Buddyboss Platform is commonly used for community and membership sites, increasing the potential impact of this vulnerability in such environments.

The exploitation of CVE-2024-13402 can lead to unauthorized script execution within the context of affected websites, enabling attackers to hijack user sessions, steal cookies or credentials, perform actions on behalf of users, or deliver further malware. This can undermine user trust, lead to data breaches, and cause reputational damage to organizations. Since the vulnerability requires only Subscriber-level authentication, attackers can exploit it even with minimal privileges, increasing the attack surface. The stored nature of the XSS means that all visitors to the compromised pages are at risk, amplifying the potential impact. Organizations running community-driven or membership-based websites using Buddyboss Platform are particularly vulnerable, as attackers could target large user bases. While availability is not directly impacted, the integrity and confidentiality risks are significant. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

Organizations should immediately update the Buddyboss Platform plugin to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding for the 'link_title' parameter to prevent script injection. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this parameter can reduce risk. Restricting Subscriber-level permissions to limit the ability to inject content may also help mitigate exploitation. Regularly auditing user-generated content for malicious scripts and educating users about the risks of XSS attacks are recommended. Additionally, implementing Content Security Policy (CSP) headers can help contain the impact of any injected scripts by restricting script execution sources. Monitoring logs for unusual activity related to the 'link_title' parameter and user accounts with Subscriber access can provide early detection of exploitation attempts.