The Store Locator Widget plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-13657, classified under CWE-79. This vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of the 'storelocatorwidget' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently, it executes every time a user visits the affected page, potentially compromising the confidentiality and integrity of user sessions. The vulnerability affects all versions up to and including 20200131. Exploitation does not require user interaction but does require authenticated access with relatively low privileges, increasing the risk within multi-user WordPress environments. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No official patches or fixes have been linked yet, and no known exploits are currently observed in the wild. This vulnerability could be leveraged for session hijacking, privilege escalation, or delivering further malware payloads within affected WordPress sites.

The impact of CVE-2024-13657 on organizations worldwide can be significant, especially for those relying on the Store Locator Widget plugin in their WordPress sites. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware. Since contributor-level access is often granted to multiple users, including content creators and editors, the attack surface is relatively broad within organizations. The vulnerability compromises confidentiality and integrity but does not directly affect availability. Organizations with high-traffic WordPress sites using this plugin risk reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2024-13657, organizations should first verify if they use the Store Locator Widget plugin and identify the affected versions (all versions up to 20200131). Since no official patch links are provided, immediate mitigation steps include: 1) Restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 2) Remove or disable the 'storelocatorwidget' shortcode usage in posts and pages until a patch or update is available. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the shortcode parameters. 4) Monitor WordPress user activity logs for unusual behavior from contributors or editors. 5) Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes. 6) Regularly check for updates from the plugin vendor or WordPress security advisories and apply patches promptly once available. 7) Consider replacing the vulnerable plugin with a secure alternative if timely patching is not feasible.