CVE-2024-13582 is a stored cross-site scripting vulnerability identified in the Simple Pricing Tables plugin for WPBakery Page Builder, a popular WordPress page builder plugin. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin's 'wdo_simple_pricing_table_free' shortcode fails to adequately sanitize and escape user-supplied attributes before rendering them on pages. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Once injected, the malicious script executes in the context of any user who visits the compromised page, potentially enabling session hijacking, theft of sensitive information, or further attacks such as privilege escalation or persistent browser-based malware. The vulnerability affects all versions up to 1.0 of the plugin. The CVSS 3.1 base score of 6.4 indicates a medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits are reported in the wild. The vulnerability's scope is confined to WordPress sites using this specific plugin, particularly those allowing contributor-level users to add or edit pricing tables using the vulnerable shortcode.

The impact of CVE-2024-13582 can be significant for organizations using the affected plugin on WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any visitors to the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including potentially administrative accounts. It may also facilitate the spread of malware, phishing attacks, or defacement of websites. The integrity of website content can be compromised, and user trust damaged. Although availability is not directly affected, the reputational and operational consequences can be severe, especially for e-commerce or business-critical sites relying on WPBakery Page Builder. Since contributor-level access is required, the threat is heightened in environments where multiple users have editing privileges or where account compromise is easier. The vulnerability could be leveraged as a foothold for further attacks within the organization's network or customer base.

To mitigate CVE-2024-13582, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and review existing user permissions to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the vulnerable shortcode can provide temporary protection. Site administrators should audit content created with the 'wdo_simple_pricing_table_free' shortcode for suspicious or unauthorized scripts and remove any found. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting allowed sources of executable code. Additionally, hardening WordPress security by enforcing strong authentication, monitoring user activity, and regularly scanning for malware or injected code is recommended. Developers maintaining the plugin should update the code to properly sanitize and escape all user inputs in the shortcode output to prevent this and similar XSS vulnerabilities.