CVE-2024-13455 is a stored Cross-Site Scripting vulnerability identified in the igumbi Online Booking plugin for WordPress, affecting all versions up to and including 1.40. The root cause is insufficient input sanitization and output escaping of user-supplied attributes within the 'igumbi_calendar' shortcode. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's browser session. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change due to the impact on other users. No patches or known exploits are currently reported, but the vulnerability poses a significant risk to websites using this plugin, especially those allowing multiple contributors or editors. The CWE-79 classification confirms the issue as improper neutralization of input during web page generation, a common and impactful web security flaw.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users interacting with affected WordPress sites. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users. Since the vulnerability requires contributor-level access, attackers must first gain some level of authenticated access, which may be feasible on multi-user sites or those with weak account controls. The stored nature of the XSS means the malicious payload persists and affects all users viewing the infected page, increasing the attack surface. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations relying on igumbi Online Booking for customer-facing booking services risk exposing their users to phishing, account compromise, and data theft, which can lead to regulatory penalties and loss of customer trust.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, administrators should restrict contributor-level access to trusted users only and audit existing user permissions to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'igumbi_calendar' shortcode parameters can provide temporary protection. Site owners should also enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for suspicious activity is recommended. Developers maintaining the plugin should improve input validation by sanitizing and escaping all user-supplied attributes in shortcodes before rendering. Finally, educating users about the risks of XSS and enforcing strong authentication and session management practices will reduce exploitation likelihood.