CVE-2024-13577 is a stored Cross-Site Scripting (XSS) vulnerability identified in the CATS Job Listings plugin for WordPress, affecting all versions up to and including 2.0.9. The flaw stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'catsone' shortcode. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the injected script is stored persistently, it executes automatically whenever any user views the affected page, without requiring any additional interaction. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or official fixes have been published at the time of disclosure, and no known exploits are reported in the wild. The vulnerability is particularly concerning in multi-user WordPress environments where contributors can add content, as it allows privilege escalation through script injection, potentially leading to session hijacking, defacement, or further exploitation of user accounts.

The primary impact of CVE-2024-13577 is the potential for attackers with contributor-level access to execute arbitrary JavaScript in the context of the affected website. This can lead to theft of session cookies, enabling account takeover or privilege escalation, defacement of website content, or redirection to malicious sites. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised pages, increasing the attack surface. Organizations using the CATS Job Listings plugin in environments with multiple contributors or editors are at higher risk. The confidentiality and integrity of user data and site content can be compromised, potentially damaging organizational reputation and user trust. Although availability is not directly impacted, the indirect effects of exploitation, such as site downtime due to remediation or loss of user confidence, can be significant. The vulnerability's exploitation requires authenticated access, limiting exposure to internal or trusted users, but insider threats or compromised contributor accounts can leverage this flaw. The lack of known public exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

1. Immediately restrict contributor-level and higher permissions to trusted users only until a patch is available. 2. Monitor and audit all user-generated content submitted via the 'catsone' shortcode for suspicious scripts or unusual inputs. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the affected shortcode parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly back up website data to enable quick restoration in case of compromise. 6. Encourage the plugin vendor to release an official patch and apply it promptly once available. 7. Consider temporarily disabling or replacing the CATS Job Listings plugin if the risk is unacceptable and no patch is available. 8. Educate contributors about safe content submission practices and the risks of injecting scripts. 9. Use security plugins that scan for stored XSS vulnerabilities and alert administrators. 10. Review and harden WordPress user roles and capabilities to minimize unnecessary privileges.