CVE-2024-13519 is a stored Cross-Site Scripting (XSS) vulnerability identified in the MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress, affecting all versions up to and including 1.9.80. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied data in its settings interface. This flaw allows authenticated attackers with Shop Manager-level permissions or higher to inject arbitrary JavaScript code into pages rendered by the plugin. The malicious scripts are stored persistently and execute in the context of any user who views the infected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability specifically impacts multi-site WordPress installations or single-site setups where the unfiltered_html capability is disabled, limiting the scope but still posing a significant risk in those environments. The CVSS 3.1 base score of 4.4 reflects a medium severity, with network attack vector, high attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported to date, but the presence of this vulnerability in a widely used WooCommerce multivendor plugin highlights the importance of timely remediation. The plugin vendor has not yet published a patch, so users must rely on alternative mitigations until an official fix is available.

The primary impact of CVE-2024-13519 is the potential for attackers with Shop Manager-level access to execute arbitrary JavaScript in the context of other users visiting the affected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Since the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time. The requirement for authenticated access with elevated privileges limits the attack surface but does not eliminate risk, especially in environments where Shop Managers are numerous or less trusted. Multi-site WordPress installations and those with unfiltered_html disabled are particularly vulnerable, which may include large e-commerce platforms and marketplaces using WooCommerce. The medium CVSS score reflects moderate risk; however, the potential for lateral movement and privilege escalation through XSS in a multivendor marketplace environment could have significant business and reputational consequences if exploited. Organizations may face data breaches, loss of customer trust, and compliance issues if this vulnerability is left unaddressed.

1. Immediate mitigation involves restricting Shop Manager-level permissions to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Monitor and audit plugin settings pages for suspicious or unexpected script injections. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin’s settings interface. 4. Where possible, enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected pages. 5. Regularly back up WordPress sites and database contents to enable quick restoration if compromise occurs. 6. Until an official patch is released, consider disabling or replacing the MarketKing plugin in multi-site environments or those with unfiltered_html disabled. 7. Educate administrators and Shop Managers about the risks of injecting untrusted content into plugin settings. 8. Follow vendor announcements closely and apply patches promptly once available. 9. Conduct penetration testing focused on XSS vectors in the affected plugin to identify and remediate any additional injection points.