CVE-2024-13515 identifies a reflected Cross-Site Scripting vulnerability in the 'Image Source Control Lite – Show Image Credits and Captions' WordPress plugin developed by webzunft. This vulnerability exists in all versions up to and including 2.28.0 due to insufficient input sanitization and output escaping of the 'path' parameter. When an attacker crafts a malicious URL containing a script payload in the 'path' parameter and convinces a user to click it, the injected script executes in the context of the victim's browser. This can lead to theft of session cookies, defacement, or redirection to malicious sites, compromising user confidentiality and integrity. The vulnerability does not require authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 base score is 6.1, indicating medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, and scope changed. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress environments for managing image credits and captions, making the attack surface significant in websites relying on this plugin. The reflected nature of the XSS means it can be used in phishing campaigns or targeted attacks to compromise site visitors.

The primary impact of CVE-2024-13515 is on the confidentiality and integrity of users interacting with vulnerable WordPress sites using the affected plugin. Successful exploitation can lead to session hijacking, theft of sensitive information, or execution of arbitrary scripts in the victim's browser, potentially enabling further attacks such as phishing or malware delivery. While availability is not directly impacted, the reputation and trustworthiness of affected websites can suffer, leading to loss of user confidence and potential business impact. Organizations hosting WordPress sites with this plugin may face increased risk of targeted attacks, especially if their user base is large or includes privileged users. The vulnerability's ease of exploitation without authentication but requiring user interaction makes it a moderate risk, particularly in environments where users are less security-aware. The lack of known exploits in the wild currently limits immediate widespread impact but does not preclude future exploitation. Overall, the threat is significant for website operators and their users, especially in sectors relying heavily on WordPress for content management.

To mitigate CVE-2024-13515, organizations should immediately update the 'Image Source Control Lite – Show Image Credits and Captions' plugin to a patched version once available from the vendor. Until a patch is released, administrators can implement Web Application Firewall (WAF) rules to detect and block requests containing suspicious script payloads in the 'path' parameter. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Site owners should audit and sanitize all user-controllable inputs rigorously, especially URL parameters, to prevent injection. Educating users to avoid clicking suspicious links can reduce exploitation likelihood. Additionally, monitoring web server logs for unusual query parameters and anomalous traffic patterns can help detect attempted exploitation. Regular security assessments and plugin inventory reviews should be conducted to identify and remediate vulnerable components promptly. Disabling or removing unused plugins reduces the attack surface. Finally, implementing multi-factor authentication (MFA) for user accounts can limit damage if session tokens are compromised.