CVE-2024-13443 is a stored cross-site scripting (XSS) vulnerability identified in the Easypromos Plugin for WordPress, a tool commonly used to create promotional campaigns and contests. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input within the plugin's shortcode attributes, allowing malicious scripts to be stored in the website's content. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users visit these pages, the injected scripts execute in their browsers under the context of the vulnerable site, potentially compromising session tokens, cookies, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 1.3.8. The CVSS 3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, but does require privileges (authenticated contributor or above) and does not require user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known public exploits have been reported yet, but the vulnerability poses a significant risk if weaponized. The lack of patch links suggests a fix may not yet be publicly available, emphasizing the need for mitigation. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of CVE-2024-13443 is on the confidentiality and integrity of data within affected WordPress sites using the Easypromos Plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, which can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential privilege escalation. Since the vulnerability requires contributor-level access, attackers who have compromised or obtained such credentials can leverage this flaw to escalate their impact. This can undermine trust in the affected websites, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Although availability is not directly impacted, the reputational damage and potential regulatory consequences can be significant. Organizations relying on this plugin for marketing or customer engagement may face operational disruptions and loss of customer confidence if exploited.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content submitted via the Easypromos shortcode to detect any suspicious scripts or payloads. 3. Employ a Web Application Firewall (WAF) with rules designed to detect and block common XSS payloads targeting WordPress plugins. 4. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 5. Regularly update the Easypromos Plugin as soon as a security patch is released by the vendor; if no patch is available, consider temporarily disabling the plugin or removing the shortcode usage. 6. Educate site administrators and contributors about secure content submission practices and the risks of XSS. 7. Conduct thorough security testing on the site after applying any fixes or mitigations to ensure the vulnerability is fully addressed.