CVE-2024-13573 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Zigaform – Form Builder Lite plugin for WordPress in all versions up to 7.4.2. The vulnerability is due to improper neutralization of input during web page generation, specifically in the handling of the 'zgfm_rfvar' shortcode. The plugin fails to sufficiently sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires no user interaction beyond visiting the compromised page and can be exploited remotely over the network. The CVSS 3.1 base score is 6.4, indicating medium severity, with attack vector network, low complexity, privileges required (low), no user interaction, and scope changed due to impact on other users. No patches or exploit code are currently publicly available, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability highlights the importance of strict input validation and output encoding in web applications, especially those that allow user-generated content or shortcode attributes.

The primary impact of CVE-2024-13573 is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to theft of authentication cookies, session tokens, or other sensitive information, enabling attackers to escalate privileges or impersonate users. The integrity of site content can be compromised by unauthorized modifications or defacements. Although availability is not directly impacted, the trustworthiness and security posture of affected websites are degraded. Organizations relying on the Zigaform plugin may face increased risk of account takeover, data leakage, and reputational damage. Since WordPress powers a significant portion of the web, and this plugin is used globally, the scope of affected systems is broad. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but the ease of exploitation and network accessibility increase the threat. The vulnerability could be leveraged in targeted attacks against organizations with sensitive data or high-value web properties.

To mitigate CVE-2024-13573, organizations should immediately update the Zigaform – Form Builder Lite plugin to a patched version once available. Until a patch is released, restrict contributor-level and higher privileges to trusted users only, and audit existing accounts for suspicious activity. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'zgfm_rfvar' shortcode parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly review and sanitize all user-generated content and shortcode inputs. Monitor logs for unusual behavior indicative of XSS exploitation attempts. Consider disabling or replacing the vulnerable plugin if patching is delayed. Educate site administrators and users about the risks of privilege misuse and the importance of strong authentication controls. Finally, conduct penetration testing and vulnerability scanning focused on XSS to identify and remediate similar issues proactively.