CVE-2024-13506 is a stored cross-site scripting vulnerability identified in the GeoDirectory – WP Business Directory Plugin and Classified Listings Directory for WordPress, maintained by paoltaia. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the display_name profile parameter. This parameter is insufficiently sanitized and escaped, allowing authenticated users with at least Subscriber-level privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time the infected page is accessed by any user, including administrators. The vulnerability is classified under CWE-79 and affects all plugin versions up to and including 2.8.97. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and a scope change with partial impact on confidentiality and integrity but no impact on availability. Although no public exploits have been reported, the vulnerability could be leveraged for session hijacking, privilege escalation, or delivering further payloads. The flaw highlights the importance of rigorous input validation and output encoding in web applications, especially in widely used CMS plugins. No official patch links are currently available, so users must monitor vendor advisories for updates.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to inject persistent malicious scripts that execute in the context of other users, including administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access. Attackers may also perform actions on behalf of victims, deface websites, or deliver malware. The compromise of administrative accounts could result in full site takeover, data breaches, or disruption of services. Given the widespread use of WordPress and the popularity of directory plugins, numerous organizations worldwide, including small businesses, local directories, and classified listing sites, are at risk. The medium severity rating reflects the moderate complexity of exploitation but significant potential impact on confidentiality and integrity. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability remains a critical concern until patched. Failure to address this issue could lead to reputational damage, regulatory penalties, and operational disruptions.

1. Monitor the plugin vendor’s official channels for security patches and apply updates promptly once available. 2. Until a patch is released, restrict user roles and permissions to limit Subscriber-level users from accessing or modifying profile parameters that can be exploited. 3. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the display_name parameter. 4. Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of injected scripts. 5. Conduct regular security audits and code reviews of plugins and custom code to identify and remediate input validation weaknesses. 6. Educate site administrators and users about the risks of XSS and encourage vigilance when reviewing user-generated content. 7. Consider temporarily disabling or replacing the vulnerable plugin with alternative solutions if immediate patching is not feasible. 8. Sanitize and encode all user inputs and outputs rigorously in custom development to prevent similar vulnerabilities.