CVE-2024-13509 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WS Form LITE – Drag & Drop Contact Form Builder plugin for WordPress. The flaw exists due to insufficient sanitization and escaping of the 'url' parameter in the plugin's web page generation process. This allows unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently and executed in the browsers of users who access the compromised pages. The vulnerability affects all plugin versions up to and including 1.10.13, with a partial fix introduced in 1.10.13 and a complete fix in 1.10.14. The CVSS v3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change. The impact includes potential confidentiality and integrity breaches, such as session hijacking, credential theft, or unauthorized actions performed via the victim's browser context. No known exploits are reported in the wild yet, but the ease of exploitation and the widespread use of WordPress and this plugin increase the risk. The vulnerability is particularly critical because it requires no authentication or user interaction, making automated exploitation feasible. The plugin is popular among WordPress users for building contact forms, thus affecting a broad user base.

The vulnerability enables attackers to execute arbitrary scripts in the context of affected websites, potentially leading to theft of user credentials, session tokens, or other sensitive data. It can also facilitate phishing attacks, unauthorized actions on behalf of users, and distribution of malware. For organizations, this can result in data breaches, loss of customer trust, regulatory penalties, and reputational damage. Since the vulnerability is exploitable without authentication or user interaction, automated mass exploitation campaigns could emerge, increasing the threat surface. Websites relying on this plugin for contact forms are particularly at risk, including e-commerce, corporate, and government sites that use WordPress. The scope of impact is broad due to WordPress's global popularity and the plugin's user base. Although availability is not directly affected, the indirect consequences of data compromise and trust erosion can be severe.

Organizations should immediately verify their WS Form LITE plugin version and upgrade to version 1.10.14 or later, where the vulnerability is fully patched. If upgrading is not immediately possible, temporarily disabling the plugin or removing the vulnerable contact forms can reduce risk. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious payloads targeting the 'url' parameter can provide interim protection. Regularly audit and sanitize user inputs and outputs in custom WordPress plugins and themes to prevent similar issues. Employ Content Security Policy (CSP) headers to restrict script execution origins, mitigating impact if exploitation occurs. Monitor web server logs for suspicious requests targeting the vulnerable parameter. Educate site administrators on the importance of timely plugin updates and vulnerability management. Finally, conduct security testing on WordPress sites to detect residual XSS or other injection flaws.