The TemplatesNext ToolKit plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-13559. This vulnerability is due to improper neutralization of input during web page generation, specifically within the 'tx_woo_wishlist_table' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all versions up to and including 3.2.9 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no availability impact. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's role in e-commerce wishlist functionality. The vulnerability's exploitation scope is limited by the need for contributor-level access, but once exploited, it can affect any user viewing the injected content, potentially leading to broader compromise within the affected site.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user visiting the infected pages, including administrators and customers. This can lead to session hijacking, theft of sensitive information, unauthorized actions such as changing user settings or performing transactions, and defacement of website content. For e-commerce sites using the TemplatesNext ToolKit, this could result in loss of customer trust, financial fraud, and reputational damage. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments with multiple contributors or where contributor accounts are compromised. The widespread use of WordPress globally, especially in small to medium businesses, increases the potential attack surface. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability remains a critical concern until patched.

Organizations should immediately update the TemplatesNext ToolKit plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'tx_woo_wishlist_table' shortcode parameters can provide temporary protection. Site owners should also enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning WordPress installations for injected scripts or anomalous content is recommended. Additionally, educating contributors about secure input practices and monitoring logs for unusual activity can help detect exploitation attempts early. Finally, consider disabling or removing the TemplatesNext ToolKit plugin if it is not essential to reduce the attack surface.