CVE-2024-13542 is a stored cross-site scripting vulnerability identified in the WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress, affecting all versions up to and including 1.1.3. The vulnerability stems from improper neutralization of input during web page generation, specifically in the 'wpgsv' shortcode, which fails to adequately sanitize and escape user-supplied attributes. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users to malicious sites, or performing unauthorized actions on behalf of the victim. The vulnerability requires no user interaction but does require authenticated access, limiting the attacker to users who already have some level of access to the WordPress backend. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the plugin's popularity and the common use of WordPress for business and local SEO purposes. Mitigation currently depends on applying updates once available or implementing strict input validation and output encoding on the shortcode parameters. Monitoring user roles and limiting contributor privileges can also reduce risk.

The impact of CVE-2024-13542 can be significant for organizations relying on the affected WordPress plugin, especially those using it to enhance local SEO and provide interactive Google Street View content. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, unauthorized actions performed with victim credentials, defacement, theft of sensitive information, or distribution of malware. Since the vulnerability affects confidentiality and integrity but not availability, the primary risks involve data compromise and trust erosion. Organizations with multiple contributors or less stringent access controls are particularly vulnerable. Additionally, compromised sites can damage brand reputation and SEO rankings, impacting business operations. The vulnerability's medium severity and requirement for authenticated access somewhat limit its scope, but the widespread use of WordPress and the plugin means a large number of sites could be affected globally.

To mitigate CVE-2024-13542, organizations should: 1) Immediately update the WP Google Street View & Google maps + Local SEO plugin to a patched version once released by the vendor. 2) Until a patch is available, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3) Implement strict input validation and output encoding on all shortcode attributes, either via custom code or security plugins that sanitize user inputs. 4) Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the 'wpgsv' shortcode parameters. 5) Regularly audit user roles and permissions to ensure least privilege principles are enforced. 6) Monitor website content and logs for unusual script injections or modifications. 7) Educate content contributors about secure content practices and the risks of injecting untrusted code. 8) Consider disabling the vulnerable shortcode temporarily if feasible. These steps go beyond generic advice by focusing on access control, input sanitization, and proactive monitoring specific to this vulnerability's context.