CVE-2024-13517 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress. This vulnerability affects all versions up to and including 3.3.2. The root cause is insufficient sanitization and escaping of the Title input field during web page generation, which allows an authenticated attacker with administrator-level access to inject arbitrary JavaScript code into pages. The vulnerability specifically impacts multi-site WordPress installations where the unfiltered_html capability is disabled, limiting the ability to filter out malicious HTML content. Once injected, the malicious script executes whenever any user accesses the affected page, potentially enabling session hijacking, privilege escalation, or other malicious activities. The CVSS v3.1 score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, requiring privileges, and no user interaction. The scope is changed (S:C), indicating the vulnerability can affect resources beyond the initially compromised component. No public exploits have been reported yet, but the presence of administrator-level access requirement and multi-site limitation reduces the attack surface. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling e-commerce transactions and subscriptions.

The impact of CVE-2024-13517 is primarily on the confidentiality and integrity of affected WordPress multi-site installations using the Easy Digital Downloads plugin. Successful exploitation allows an attacker with administrator privileges to inject persistent malicious scripts, which execute in the context of users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or distribution of malware. Although availability is not directly affected, the trustworthiness of the affected e-commerce platform can be severely damaged, potentially leading to reputational harm and financial losses. The requirement for administrator-level access and multi-site configuration limits the scope but does not eliminate risk, especially for organizations relying on this plugin for payment and subscription management. Attackers who gain admin access through other means could leverage this vulnerability to escalate their control and impact multiple sites within a network.

To mitigate CVE-2024-13517, organizations should immediately update the Easy Digital Downloads plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict access to the WordPress admin dashboard to trusted personnel only and monitor for any unusual activity. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting the Title field can provide temporary protection. Additionally, review and harden multi-site configurations, ensuring that unfiltered_html capability is enabled only for trusted users. Regularly audit user privileges to minimize the number of administrators and enforce strong authentication mechanisms. Employ Content Security Policy (CSP) headers to reduce the impact of injected scripts by restricting script execution sources. Finally, conduct security awareness training for administrators to recognize and prevent injection of malicious content.