CVE-2024-13501 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP-FormAssembly plugin for WordPress, affecting all versions up to and including 2.0.11. The root cause is insufficient sanitization and output escaping of user-supplied attributes within the plugin's 'formassembly' shortcode. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially affecting administrators, editors, and visitors. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and a scope change due to affecting other users. No patches or known exploits have been reported yet, but the vulnerability poses a significant risk to the confidentiality and integrity of affected sites. This vulnerability can be leveraged for session hijacking, defacement, or further privilege escalation within the WordPress environment.

The impact of CVE-2024-13501 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of other users, including administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of other users, and potential site defacement. Although availability is not directly impacted, the compromise of administrative accounts or site integrity can lead to downtime or loss of user trust. Organizations relying on WP-FormAssembly for form management face risks of data leakage and unauthorized control over site content. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or where account compromise is possible. The vulnerability could be leveraged as a foothold for broader attacks within the WordPress ecosystem or the hosting environment.

To mitigate CVE-2024-13501, organizations should first upgrade the WP-FormAssembly plugin to a fixed version once released by the vendor. Until a patch is available, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the 'formassembly' shortcode. Conduct regular audits of user-generated content and shortcode usage to identify and remove injected scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Additionally, monitor logs for unusual activity related to form submissions or shortcode usage. Educate administrators and contributors about the risks of XSS and safe content handling. Finally, consider isolating or disabling the plugin if it is not essential, reducing the attack surface.