CVE-2024-13588 is a stored cross-site scripting vulnerability identified in the Simplebooklet PDF Viewer and Embedder plugin for WordPress, maintained by kenkwasnicki. The vulnerability exists in all versions up to and including 1.1.0 due to insufficient sanitization and escaping of user-supplied attributes within the 'simplebooklet' shortcode. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security weakness. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial confidentiality and integrity impact. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly.

The impact of CVE-2024-13588 is significant for organizations using the Simplebooklet PDF Viewer and Embedder plugin on WordPress sites. Successful exploitation can lead to persistent cross-site scripting attacks, enabling attackers to hijack user sessions, steal sensitive information such as authentication cookies, perform unauthorized actions on behalf of users, or deface websites. Since the vulnerability requires only contributor-level access, it lowers the barrier for exploitation by insiders or compromised accounts. This can undermine user trust, lead to data breaches, and potentially facilitate further attacks such as privilege escalation or malware distribution. The scope includes all users who visit infected pages, which can be broad for public-facing websites. Although no known exploits are reported in the wild, the presence of this vulnerability increases the risk profile of affected sites and may attract attackers targeting WordPress ecosystems.

To mitigate CVE-2024-13588, organizations should immediately update the Simplebooklet PDF Viewer and Embedder plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate exposure. Additionally, implement strict input validation and output encoding for all user-supplied data in shortcodes and other plugin inputs. Restrict contributor-level permissions carefully and audit user accounts to prevent unauthorized access. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide temporary protection. Regularly monitor website content for unexpected script injections and conduct security scans. Educate content contributors about safe input practices and the risks of injecting untrusted content. Finally, maintain regular backups and incident response plans to recover quickly if exploitation occurs.