CVE-2024-13466 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Automatically Hierarchic Categories in Menu plugin for WordPress, affecting all versions up to and including 2.0.7. The flaw stems from improper neutralization of input during web page generation, specifically within the 'autocategorymenu' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Once injected, these scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires no user interaction to trigger and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based, with low attack complexity, and privileges required are limited to authenticated contributors. The vulnerability impacts confidentiality and integrity but does not affect availability. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the plugin's functionality. The vulnerability was publicly disclosed on January 30, 2025, and is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of CVE-2024-13466 is the compromise of confidentiality and integrity within affected WordPress sites. Exploitation allows authenticated contributors to inject malicious scripts that execute in the context of other users, including administrators. This can lead to session hijacking, theft of sensitive information, unauthorized content modification, and potential privilege escalation. Although availability is not directly impacted, successful exploitation can undermine user trust and site integrity. Organizations relying on the affected plugin risk data breaches, defacement, and further compromise of their WordPress environments. Since the vulnerability requires contributor-level access, attackers must first obtain such credentials, which may be easier in environments with weak access controls or compromised user accounts. The widespread use of WordPress globally means many organizations, including businesses, media outlets, and government sites, could be targeted, especially those with collaborative content management workflows.

To mitigate CVE-2024-13466, organizations should immediately update the Automatically Hierarchic Categories in Menu plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block malicious scripts in shortcode attributes can provide temporary protection. Additionally, site administrators should enforce strict input validation and output encoding practices in custom code and plugins. Regular security scanning and monitoring for anomalous script injections or unusual user behavior are recommended. Educating content contributors about safe practices and the risks of injecting untrusted content can reduce exploitation likelihood. Finally, maintaining regular backups and incident response plans will help recover quickly if exploitation occurs.