CVE-2024-13469 identifies a stored Cross-Site Scripting vulnerability in the Pricing Table by PickPlugins WordPress plugin, present in all versions up to and including 1.12.10. The vulnerability stems from improper neutralization of input (CWE-79) during web page generation, specifically in the Button Link field of the plugin's pricing tables. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code that is stored persistently and executed whenever any user accesses the affected page. This occurs due to insufficient input sanitization and lack of proper output escaping, allowing malicious scripts to be embedded in the plugin's output. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change (impacting other components). The impact includes partial confidentiality and integrity loss, such as theft of cookies, session tokens, or execution of unauthorized actions on behalf of users. Availability is not impacted. No public exploits have been reported yet, but the vulnerability poses a risk especially in multi-user WordPress environments where contributors can add content. The plugin is widely used in WordPress sites for pricing tables, making this a relevant threat for many organizations relying on WordPress for content management. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

The vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into pages, which execute in the context of any user viewing those pages. This can lead to theft of sensitive information such as authentication cookies or tokens, enabling session hijacking or privilege escalation. Attackers could also perform unauthorized actions on behalf of users, potentially compromising site integrity and user trust. Although availability is not directly affected, the integrity and confidentiality impacts can disrupt normal operations and lead to reputational damage. Organizations with multiple content contributors are particularly at risk, as the attack requires authenticated access but no further user interaction. The scope change means that the vulnerability affects components beyond the initial vulnerable plugin, potentially impacting the entire WordPress site and its users. Given WordPress's widespread use globally, the potential impact is significant for websites relying on this plugin for pricing display and user interaction.

Organizations should immediately review user roles and restrict Contributor-level access to trusted users only, minimizing the risk of malicious input. Until an official patch is released, consider disabling or removing the Pricing Table by PickPlugins plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the Button Link field. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly audit and sanitize existing content created via the plugin to identify and remove any injected scripts. Monitor logs and user activity for signs of exploitation attempts. Encourage plugin developers to release a patch promptly and apply it as soon as available. Additionally, educate content contributors about safe input practices and the risks of injecting untrusted content. For high-risk environments, consider isolating WordPress instances or using security plugins that provide enhanced input validation and output escaping.