CVE-2024-13572 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Precious Metals Charts and Widgets plugin for WordPress by nfusionsolutions. This vulnerability affects all versions up to and including 1.2.8. The root cause is insufficient sanitization and escaping of user-supplied attributes in the 'nfusion-widget' shortcode, which is used to embed precious metals charts and widgets on WordPress pages. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the shortcode attributes. Because the injected script is stored persistently in the WordPress database, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability requires no user interaction beyond page viewing but does require authentication with contributor or higher privileges, which limits exposure to some extent. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation.

The impact of CVE-2024-13572 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, or defacement of website content. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised pages. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. The requirement for contributor-level access reduces the risk from anonymous attackers but still poses a threat in environments with multiple authenticated users or weak access controls. Organizations relying on this plugin for financial or commodity-related content may face increased risk due to the sensitive nature of their audience and data. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk if weaponized.

To mitigate CVE-2024-13572, organizations should first verify if they are using the Precious Metals Charts and Widgets plugin for WordPress, especially versions up to 1.2.8. Immediate steps include: 1) Restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections in shortcode attributes. 3) Apply manual input validation and sanitization for any user-generated content related to the plugin if custom development is possible. 4) Monitor and audit user activities for unusual behavior or unauthorized changes in shortcode content. 5) Regularly check for updates or patches from the vendor and apply them promptly once available. 6) Consider temporarily disabling the plugin or replacing it with alternative solutions that do not exhibit this vulnerability until a patch is released. 7) Educate content contributors about secure content practices and the risks of injecting untrusted code. These targeted actions go beyond generic advice by focusing on access control, monitoring, and proactive content validation specific to this plugin's context.