CVE-2024-13575 identifies a stored cross-site scripting (XSS) vulnerability in the 'Web Stories Enhancer – Level Up Your Web Stories' WordPress plugin developed by magazine3. The vulnerability exists in all plugin versions up to and including 1.3. It stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the 'web_stories_enhancer' shortcode. Authenticated attackers with contributor-level or higher privileges can inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time a user accesses the compromised page, potentially enabling session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed as the vulnerability affects other users viewing the injected content. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of reporting necessitates interim mitigations such as restricting contributor access and monitoring for suspicious activity.

The impact of CVE-2024-13575 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an authenticated contributor or higher to inject malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware to visitors. Although availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin for web story enhancements risk exposure of sensitive user data and loss of user trust. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or less stringent access controls. The vulnerability could be leveraged in targeted attacks against high-value websites or used as a foothold for further compromise within an organization's web infrastructure.

To mitigate CVE-2024-13575, organizations should first monitor for plugin updates from the vendor magazine3 and apply patches promptly once available. Until a patch is released, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'web_stories_enhancer' shortcode parameters. Conduct regular code reviews and security audits of user-generated content and plugin usage. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script execution sources. Additionally, sanitize and validate all user inputs at the application level, and ensure output encoding is correctly applied in templates rendering user content. Educate content contributors about safe content practices and monitor logs for unusual activity indicative of exploitation attempts. Finally, consider disabling or replacing the vulnerable plugin if immediate patching is not feasible.