CVE-2024-13551 identifies a stored Cross-Site Scripting (XSS) vulnerability in the ABC Notation plugin for WordPress, developed by paulrosen. The vulnerability exists in all versions up to and including 6.1.3 due to improper neutralization of user-supplied input within the plugin's 'abcjs' shortcode. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users, allowing malicious JavaScript code to be injected and stored within WordPress pages or posts. When any user, including administrators or visitors, accesses a page containing the injected shortcode, the malicious script executes in their browser context. The attack vector is remote over the network, with low complexity, requiring only contributor-level privileges—meaning users who can create or edit content but do not have full administrative rights. No user interaction is needed beyond viewing the compromised page. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of users. Availability is not directly affected. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity. No patches or fixes are currently linked, and no known exploits have been observed in the wild, but the risk remains significant given the ease of exploitation and potential impact. The vulnerability is classified under CWE-79, a common and well-understood web application security issue.

The primary impact of CVE-2024-13551 is the potential compromise of user accounts and site integrity on WordPress installations using the ABC Notation plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators, leading to session hijacking, theft of sensitive information, or unauthorized actions such as content modification or privilege escalation. This can result in reputational damage, data breaches, and loss of user trust. Since the vulnerability requires authenticated access at contributor level or higher, insider threats or compromised contributor accounts pose a significant risk. The scope includes all WordPress sites using the vulnerable plugin version, which may be widespread given WordPress's global popularity. The vulnerability does not directly impact system availability but can facilitate further attacks that might. Organizations relying on ABC Notation for music notation display on their WordPress sites should be particularly vigilant, as attackers could leverage this to target communities interested in music or education. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

To mitigate CVE-2024-13551, organizations should immediately update the ABC Notation plugin to a patched version once available. In the absence of an official patch, administrators should consider temporarily disabling the plugin or removing the 'abcjs' shortcode functionality to prevent exploitation. Implement strict role-based access controls to limit contributor-level privileges only to trusted users and monitor contributor activities for suspicious behavior. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the shortcode parameters. Additionally, sanitize and validate all user inputs at the application level, and apply output encoding to prevent script execution. Regularly audit WordPress plugins for vulnerabilities and keep all components updated. Educate content contributors about safe content practices and the risks of injecting untrusted code. Finally, monitor logs and user reports for signs of XSS exploitation or anomalous behavior on affected sites.