CVE-2024-13587 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin Zigaform – Price Calculator & Cost Estimation Form Builder Lite, versions up to and including 7.4.2. The vulnerability stems from insufficient sanitization and escaping of user-supplied input within the 'zgfm_fvar' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability requires authentication but no additional user interaction, and the attack complexity is low. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user WordPress environments where contributors can add content. The lack of patch links suggests that a fix may not yet be available or publicly released, emphasizing the need for immediate mitigation steps. This vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of CVE-2024-13587 is the compromise of confidentiality and integrity of user data on affected WordPress sites using the vulnerable Zigaform plugin. Exploitation allows attackers to execute arbitrary scripts in the context of site visitors, which can lead to session hijacking, theft of authentication tokens, defacement, or redirection to malicious sites. This can erode user trust and damage organizational reputation. For organizations, especially those with multiple contributors or editors, the risk is elevated as attackers only need contributor-level access to inject malicious payloads. The vulnerability does not affect availability directly but can lead to indirect service disruptions if exploited at scale or combined with other attacks. Since WordPress powers a significant portion of websites globally, the scope of affected systems is broad, particularly for sites using this specific plugin. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once details are public. Organizations relying on this plugin for price calculation and cost estimation functionality may face operational risks if the plugin is disabled or removed as a mitigation step.

1. Immediately restrict contributor-level access to trusted users only until a patch is available. 2. Monitor and audit all content submissions involving the 'zgfm_fvar' shortcode for suspicious or unexpected input. 3. Apply strict input validation and output escaping at the application or web server level if possible, using web application firewalls (WAFs) with custom rules targeting the vulnerable shortcode parameters. 4. Disable or remove the Zigaform – Price Calculator & Cost Estimation Form Builder Lite plugin if it is not essential or if no patch is available. 5. Keep WordPress core and all plugins updated, and subscribe to vendor or security mailing lists for patch announcements. 6. Educate contributors about the risks of injecting untrusted content and enforce content submission policies. 7. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 8. Conduct regular security scans and penetration testing focusing on XSS vulnerabilities in user-generated content areas. 9. Backup website data regularly to enable quick recovery if exploitation occurs.