CVE-2024-13589 identifies a stored cross-site scripting vulnerability in the 'YouTube Playlists with Schema' WordPress plugin developed by johnnya23. This vulnerability exists in all versions up to and including 2.6.1 due to improper neutralization of user input in the 'yt_grid' shortcode attributes. Specifically, the plugin fails to adequately sanitize and escape user-supplied data before rendering it on web pages, enabling attackers with contributor-level or higher privileges to inject arbitrary JavaScript code. Because the malicious script is stored persistently in the website's content, it executes in the context of any user who visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires an authenticated attacker with contributor or higher privileges, which limits exposure to sites allowing such user roles. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a notable risk for websites using this plugin without updates or mitigations.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of all users who visit those pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and website defacement. For organizations, this undermines user trust, can lead to data breaches, and may result in reputational damage or regulatory consequences. Since the vulnerability requires authenticated access, the risk is higher in environments where contributor roles are widely granted or where accounts are compromised. The scope includes all websites running the affected plugin versions, which may be numerous given WordPress's popularity. Although no known exploits are currently active, the vulnerability's medium severity and ease of exploitation by authenticated users make it a significant concern for affected sites.

Organizations should immediately update the 'YouTube Playlists with Schema' plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing user roles to minimize risk. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs can provide temporary protection. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly scanning WordPress sites for XSS vulnerabilities and monitoring logs for unusual activity related to the 'yt_grid' shortcode usage is recommended. Developers maintaining the plugin should apply proper input validation and output encoding to user-supplied data in shortcode attributes to prevent script injection.