CVE-2024-13460 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin WE – Testimonial Slider, which is used to display testimonial sliders on websites. The vulnerability exists in all versions up to and including 1.5 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied input in the Testimonial Author Names field, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code. When other users visit pages containing the injected testimonial, the malicious script executes in their browsers, potentially enabling session hijacking, defacement, or further attacks such as privilege escalation or malware delivery. The vulnerability requires authentication but no additional user interaction beyond visiting the compromised page. The CVSS v3.1 score of 6.4 indicates a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to impact on other users. No public exploits have been reported at this time. The vulnerability was published on January 30, 2025, and assigned by Wordfence. Since the plugin is used in WordPress environments, the risk is tied to the prevalence of this plugin and the level of user privileges granted on affected sites.

The impact of CVE-2024-13460 is significant for organizations running WordPress sites with the WE – Testimonial Slider plugin installed. An attacker with Contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential compromise of site integrity. Since the vulnerability affects all versions up to 1.5, any unpatched site is at risk. The scope of impact extends beyond the initial attacker to all users who view the injected testimonial content, increasing the potential damage. Although exploitation requires authenticated access, Contributor-level permissions are commonly granted to trusted users or content creators, which broadens the attack surface. The vulnerability does not affect availability but compromises confidentiality and integrity. Organizations with high traffic or sensitive user data on affected sites face increased risk of data breaches or reputational damage.

To mitigate CVE-2024-13460, organizations should immediately update the WE – Testimonial Slider plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and review existing testimonials for suspicious content. Implementing Web Application Firewall (WAF) rules to detect and block malicious script patterns in testimonial author fields can reduce risk. Additionally, applying Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Regularly auditing user roles and permissions to minimize unnecessary privileges reduces the likelihood of exploitation. Site owners should also monitor logs for unusual activity related to testimonial submissions or page views. Finally, educating content contributors about secure input practices and the risks of XSS can help prevent accidental injection of malicious code.