CVE-2024-13591 is a stored cross-site scripting vulnerability identified in the Team Builder For WPBakery Page Builder plugin for WordPress, formerly known as Visual Composer. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'team-builder-vc' shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages via this shortcode. Because the injected scripts are stored persistently, they execute every time any user accesses the affected page, leading to potential compromise of user sessions, theft of sensitive information, or unauthorized actions performed on behalf of users. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (contributor or higher), no user interaction, and a scope change. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or official fixes are currently linked, and no active exploitation has been reported. The vulnerability highlights the risks of improper input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes. Attackers exploiting this flaw could leverage it to escalate privileges or conduct phishing and session hijacking attacks within affected sites.

The primary impact of CVE-2024-13591 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, credential theft, or unauthorized actions such as content manipulation or privilege escalation. This can undermine trust in the affected website, cause data breaches, and facilitate further attacks like malware distribution or phishing. Since the vulnerability requires authenticated access, the risk is somewhat limited to environments where multiple users have contributor or higher roles. However, many WordPress sites have broad contributor access, increasing exposure. The vulnerability does not affect availability directly but can result in reputational damage and operational disruption. Organizations relying on this plugin for team or staff presentation features may face defacement or data leakage. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly once public. Overall, the vulnerability poses a moderate risk to organizations using the affected plugin, particularly those with multiple content contributors and high-value targets such as media, education, and corporate websites.

To mitigate CVE-2024-13591, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of official patches, administrators should consider disabling or removing the Team Builder For WPBakery Page Builder plugin if it is not essential. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of users who can exploit this vulnerability. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute inputs containing script tags or event handlers. Conduct regular security audits and scanning of WordPress sites to detect injected scripts or anomalous content. Educate content contributors about the risks of injecting untrusted content and enforce strict content validation policies. Additionally, consider using security plugins that provide enhanced input sanitization and output escaping for shortcodes. Monitor logs for unusual activity indicative of exploitation attempts. Finally, maintain regular backups to enable recovery in case of compromise.