CVE-2024-13433 is a stored cross-site scripting vulnerability identified in the yunra Utilities for MTG plugin for WordPress, affecting all versions up to and including 1.4.1. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'mtglink' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code that is stored persistently in the WordPress database. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or further exploitation of the site. The vulnerability requires authentication but no user interaction beyond visiting the compromised page. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No public exploits are currently known. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that allow user-generated content or shortcode attributes. Since the plugin is used in WordPress environments, the scope includes any websites running this plugin, particularly those with multiple contributors. The vulnerability is assigned CWE-79, a common and well-understood class of web application security flaws.

The impact of CVE-2024-13433 is primarily on the confidentiality and integrity of affected WordPress sites using the yunra Utilities for MTG plugin. An attacker with contributor-level access can inject persistent malicious scripts that execute in the browsers of any visitors to the infected pages. This can lead to session hijacking, enabling attackers to escalate privileges or impersonate other users, including administrators. It can also facilitate defacement, phishing, or distribution of malware. Although availability is not directly impacted, the loss of trust and potential data breaches can have significant reputational and operational consequences. Organizations relying on this plugin for content management or community engagement may face data leakage or unauthorized modifications. Since exploitation requires authenticated access, the threat is mitigated somewhat by access controls, but insider threats or compromised contributor accounts increase risk. The medium CVSS score reflects a moderate but non-trivial risk that should be addressed promptly to prevent exploitation in environments with multiple contributors or public-facing content.

To mitigate CVE-2024-13433, organizations should immediately update the yunra Utilities for MTG plugin to a patched version once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and audit existing content for injected scripts within the 'mtglink' shortcode. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute patterns can provide interim protection. Additionally, site administrators should enforce strict input validation and output escaping in custom shortcode implementations or extensions. Monitoring logs for unusual shortcode usage or unexpected script injections is recommended. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security training for contributors on safe content practices and the risks of XSS can reduce accidental exploitation. Finally, consider disabling or removing the plugin if it is not essential to reduce the attack surface.