CVE-2024-13486 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Icegram Engage WordPress plugin versions prior to 3.1.32. This vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high privilege users, such as administrators, to inject malicious scripts into the plugin's stored data. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, which is a common security measure in multisite WordPress setups to restrict HTML input. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 4.8 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L, I:L), with no impact on availability (A:N). Exploitation requires an authenticated user with high privileges to inject malicious JavaScript that could execute in the context of other users viewing the affected settings or pages, potentially leading to session hijacking, privilege escalation, or other malicious actions. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that remediation may still be pending or in progress. The vulnerability affects an unspecified range of versions prior to 3.1.32, with the affectedVersions field showing '0', likely indicating all versions before the fixed release are vulnerable. The vulnerability was published on May 15, 2025, and was reserved on January 16, 2025, by WPScan as the assigner. The plugin Icegram Engage is used to create engagement campaigns in WordPress sites, including popups, notifications, and calls to action, which may be widely used in marketing and communication contexts on WordPress platforms.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Icegram Engage plugin on WordPress, especially those with multisite configurations where the unfiltered_html capability is disabled. Since exploitation requires high privilege access, the initial compromise vector is limited to trusted users or attackers who have already gained administrative credentials. However, successful exploitation could allow attackers to inject persistent malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of other users. This could undermine the confidentiality and integrity of user data and site content. For organizations handling personal data under GDPR, such breaches could lead to regulatory penalties and reputational damage. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect components beyond the immediate plugin context, potentially impacting other parts of the WordPress site or network. The lack of known exploits reduces immediate risk, but the presence of a medium severity vulnerability in a widely used CMS plugin necessitates prompt attention. Organizations relying on Icegram Engage for customer engagement or marketing may face disruption or loss of trust if exploited.

European organizations should immediately verify if their WordPress installations use the Icegram Engage plugin and determine the version in use. If the version is prior to 3.1.32, they should prioritize upgrading to the latest patched version once available. In the interim, restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Conduct audits of user privileges to ensure no unnecessary high privilege accounts exist. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly monitor logs and user activity for signs of unusual behavior or unauthorized script injections. For multisite WordPress setups, review and tighten capability assignments and consider additional input validation or sanitization plugins as a temporary safeguard. Engage with the plugin vendor or community to obtain patches or workarounds. Finally, educate administrators about the risks of stored XSS and the importance of cautious input handling even by trusted users.