CVE-2024-13497 is a stored cross-site scripting vulnerability classified under CWE-80, affecting the Tripetto WordPress form builder plugin used for creating contact forms, surveys, and quizzes. The vulnerability exists due to improper neutralization of script-related HTML tags in attachment uploads, where the plugin fails to sufficiently sanitize and escape user-supplied input before rendering it on web pages. This flaw allows unauthenticated attackers to upload malicious files containing executable scripts that persist on the server and execute in the context of any user accessing the affected pages. The vulnerability affects all versions up to and including 8.0.9. The CVSS 3.1 score of 7.2 reflects a high severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, and no user interaction needed. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site environment. Exploitation can lead to the theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of users, and potential further compromise of the website or connected systems. Although no public exploits are currently known, the vulnerability's characteristics make it a prime target for attackers aiming to compromise WordPress sites using Tripetto. The lack of an official patch at the time of disclosure necessitates immediate mitigation efforts by administrators.

The impact of CVE-2024-13497 is significant for organizations using the Tripetto plugin on WordPress sites. Successful exploitation can lead to the compromise of user confidentiality through theft of session cookies or personal data, and integrity by enabling attackers to perform unauthorized actions within the affected site. This can result in account takeover, defacement, or injection of further malicious content, undermining user trust and potentially causing reputational damage. While availability is not directly affected, the broader consequences of a compromised site can include downtime due to remediation efforts or blacklisting by search engines. Organizations in sectors such as e-commerce, education, healthcare, and government, which often rely on web forms for data collection, are particularly vulnerable. The widespread use of WordPress globally means that many organizations could be exposed, especially those that have not updated or mitigated this plugin vulnerability. Attackers can exploit this vulnerability remotely without authentication, increasing the risk of automated mass exploitation campaigns.

To mitigate CVE-2024-13497, organizations should immediately audit their WordPress installations for the presence of the Tripetto plugin and verify the version in use. Until an official patch is released, administrators should consider disabling the plugin or restricting file upload functionality to trusted users only. Implement strict server-side validation and sanitization of all uploaded files, ensuring that executable scripts cannot be uploaded or rendered. Employ a web application firewall (WAF) with rules targeting XSS attack patterns, particularly those related to file uploads and script injection. Monitor web server logs and application logs for unusual file upload activity or access patterns indicative of exploitation attempts. Additionally, enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. Regularly back up website data and configurations to enable rapid recovery if compromise occurs. Finally, stay informed about vendor updates and apply official patches promptly once available.