CVE-2024-13406 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the XML for Google Merchant Center plugin for WordPress, developed by icopydoc. This vulnerability exists in all versions up to and including 3.0.11 due to improper neutralization of user-supplied input in the 'feed_id' parameter. Specifically, the plugin fails to adequately sanitize and escape this parameter before including it in web page output, enabling attackers to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious payload is delivered via a crafted URL that, when clicked by a user, causes the injected script to execute in the context of the victim's browser. The attack does not require authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The scope is changed (S:C) because the vulnerability affects resources beyond the vulnerable component, potentially impacting user sessions or data. No public exploits have been reported yet, but the vulnerability poses risks such as session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The plugin is widely used by WordPress sites integrating Google Merchant Center feeds, making this a relevant threat to e-commerce and marketing websites. The vulnerability was published on January 22, 2025, and assigned by Wordfence.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites using the vulnerable plugin. Attackers can inject malicious scripts that execute in the context of the victim’s browser, potentially stealing session cookies, credentials, or other sensitive information. This can lead to account takeover, unauthorized transactions, or phishing attacks. While availability is not directly affected, the reputational damage and loss of customer trust can be significant for e-commerce and marketing websites relying on Google Merchant Center feeds. The vulnerability’s ease of exploitation (no authentication required) combined with the need for user interaction means attackers can craft targeted phishing campaigns to maximize impact. Organizations worldwide using this plugin are at risk, especially those with high traffic and customer engagement. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

1. Update the XML for Google Merchant Center plugin to a version beyond 3.0.11 once a patched release is available. Monitor the vendor’s announcements for official patches. 2. In the absence of an immediate patch, implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing script payloads in the 'feed_id' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 4. Educate users and administrators about the risks of clicking unknown or suspicious links, especially those related to the affected sites. 5. Regularly audit and sanitize all user inputs and outputs in custom code or plugins to prevent similar vulnerabilities. 6. Monitor logs for unusual activity or repeated attempts to exploit the 'feed_id' parameter. 7. Consider disabling or restricting the plugin’s functionality if it is not critical to business operations until a patch is applied. 8. Use security plugins that provide XSS protection and input validation enhancements for WordPress environments.