CVE-2024-13427 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Page Builder: Pagelayer – Drag and Drop website builder developed by Softaculous. The vulnerability exists in all versions up to and including 2.0.0, specifically within the plugin's Button widget. The root cause is improper neutralization of user-supplied input due to insufficient sanitization and output escaping when generating web pages. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the Button widget's attributes. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability was partially addressed in version 1.9.9 and fully resolved in version 2.0.1. The CVSS v3.1 base score is 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits are currently reported in the wild. The vulnerability highlights the importance of rigorous input validation and output encoding in web application components that accept user input, especially in content management system plugins that are widely deployed.

The impact of CVE-2024-13427 can be significant for organizations using the vulnerable Page Builder: Pagelayer plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the context of any user viewing the compromised page. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, defacement of websites, or distribution of malware. Since contributor-level access is required, the threat is primarily from insider threats or compromised accounts rather than anonymous attackers. However, many WordPress sites allow contributors or editors, increasing the attack surface. The confidentiality and integrity of user data and site content are at risk, potentially damaging organizational reputation and user trust. The vulnerability does not affect availability directly but can facilitate further attacks that might. Organizations relying on this plugin for website building and content management should consider the risk of persistent XSS attacks and the potential for lateral movement or privilege escalation within their web environments.

To mitigate CVE-2024-13427, organizations should immediately upgrade the Page Builder: Pagelayer plugin to version 2.0.1 or later, where the vulnerability is fully fixed. If upgrading is not immediately possible, restrict contributor-level access to trusted users only and monitor for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the Button widget parameters. Conduct regular audits of user-generated content for injected scripts or anomalies. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Additionally, review and harden WordPress user roles and permissions to minimize the number of users with contributor or higher privileges. Educate content editors about the risks of injecting untrusted content. Finally, maintain an up-to-date inventory of plugins and monitor vendor advisories for future patches or related vulnerabilities.