CVE-2024-13590 identifies a stored Cross-Site Scripting (XSS) vulnerability in the ayecode Ketchup Shortcodes plugin for WordPress, specifically in the 'spacer' shortcode. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, allowing an attacker with contributor-level or higher access to inject arbitrary JavaScript code into pages. Because the malicious script is stored within the shortcode content, it executes whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 0.1.2 of the plugin. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change with low confidentiality and integrity impact but no availability impact. No public exploits are currently known. The vulnerability is significant because contributor-level users are common in WordPress environments, and stored XSS can lead to persistent compromise. The lack of patches at the time of reporting means organizations must apply workarounds or restrict access until a fix is available.

The impact of this vulnerability is primarily on the confidentiality and integrity of affected WordPress sites. An attacker with contributor-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of authentication tokens, defacement, or redirection to malicious sites. This can undermine user trust, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. Since the vulnerability requires authenticated access, the risk is somewhat limited to environments where contributor accounts are granted, but many WordPress sites allow such roles for content creators. The scope change means the vulnerability can affect resources beyond the immediate plugin, potentially impacting the entire site. Although availability is not directly affected, the reputational damage and potential regulatory consequences from data exposure can be significant. Organizations relying on this plugin without mitigation are at risk of persistent compromise and should act promptly.

To mitigate this vulnerability, organizations should first restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. Until an official patch is released, administrators can disable or remove the Ketchup Shortcodes plugin if it is not essential. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode attributes or script tags can provide temporary protection. Regularly audit shortcode content for unauthorized scripts or unusual modifications. Encourage users with contributor roles to follow security best practices and monitor logs for abnormal activity. Once a patch becomes available, promptly update the plugin to the fixed version. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Finally, educate site administrators and content creators about the risks of stored XSS and the importance of input validation.