CVE-2024-13584 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin 'Picture Gallery – Frontend Image Uploads, AJAX Photo List' developed by videowhisper. This vulnerability affects all plugin versions up to and including 1.5.19. The root cause is insufficient sanitization and output escaping of user-supplied attributes within the 'videowhisper_pictures' shortcode, which is used to display images via AJAX. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code that is stored persistently in the plugin’s data. When any user visits a page containing the injected shortcode, the malicious script executes in their browser context. This can lead to session hijacking, theft of cookies, defacement, or further client-side attacks. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low complexity, requiring privileges (contributor or higher), no user interaction, and scope change due to affecting other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors. The plugin’s widespread use in WordPress sites makes the vulnerability relevant globally. The issue highlights the importance of proper input validation and output encoding in web applications, particularly in plugins that accept user-generated content.

The impact of CVE-2024-13584 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts that execute in the browsers of any visitor or administrator viewing the compromised page. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and defacement of website content. The vulnerability does not directly affect availability but can indirectly cause reputational damage and loss of user trust. Organizations relying on this plugin for image galleries on WordPress sites face risks of data leakage and compromise of administrative accounts. Since the attack requires contributor-level access, the threat is elevated in environments with multiple content editors or less restrictive user privilege management. The scope of impact is broad because the injected scripts affect all users accessing the infected pages, potentially enabling widespread exploitation within an organization or customer base. Without mitigation, attackers could leverage this vulnerability to establish persistent footholds or pivot to other attacks within the web environment.

To mitigate CVE-2024-13584, organizations should first check for and apply any official patches or updates from the videowhisper plugin developer once available. Until a patch is released, restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implement web application firewalls (WAFs) with rules to detect and block typical XSS payloads targeting the 'videowhisper_pictures' shortcode parameters. Employ content security policies (CSP) to limit script execution sources and reduce the impact of injected scripts. Regularly monitor logs and user activity for unusual behavior indicative of exploitation attempts. Consider disabling or replacing the vulnerable plugin if immediate patching is not feasible. Additionally, review and harden WordPress user roles and permissions to minimize the number of users with contributor or higher privileges. Educate content editors about the risks of injecting untrusted content and enforce strict input validation on any custom forms or upload features integrated with the plugin.