CVE-2024-13579 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WP-Asambleas plugin for WordPress. The flaw exists in the handling of the 'polls_popup' shortcode, where user-supplied attributes are not properly sanitized or escaped before being embedded into web pages. This allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who views the affected page. The vulnerability impacts all versions up to and including 2.85.0. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) indicating that the vulnerability affects resources beyond the vulnerable component, potentially impacting the confidentiality and integrity of user data. No public exploits have been reported yet, but the vulnerability poses a significant risk because contributor-level users are common in WordPress environments, and stored XSS can lead to session hijacking, defacement, or further exploitation. The vulnerability was reserved in January 2025 and published in February 2025. No official patches or fixes are currently linked, so mitigation relies on access control and input validation measures.

The impact of CVE-2024-13579 is primarily on the confidentiality and integrity of WordPress sites using the WP-Asambleas plugin. Successful exploitation allows an attacker with contributor-level access to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or site defacement. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who access the compromised content. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but such access is common in collaborative WordPress environments. The lack of user interaction needed increases the risk of widespread impact once the malicious script is injected. Organizations relying on WP-Asambleas for polling or assembly management on WordPress sites are at risk, especially those with multiple contributors and high traffic volumes.

To mitigate CVE-2024-13579, organizations should immediately review and restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implement strict input validation and output escaping for all user-supplied data in the WP-Asambleas plugin, especially within the 'polls_popup' shortcode attributes. Until an official patch is released, consider disabling or removing the WP-Asambleas plugin if feasible. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the plugin. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts. Educate contributors about the risks of injecting untrusted content. Regularly update WordPress core and plugins to the latest versions once a patch for this vulnerability is available. Additionally, conduct security audits and penetration testing focused on XSS vulnerabilities in custom or third-party plugins to proactively identify similar issues.