The vulnerability identified as CVE-2024-13660 affects the Responsive Flickr Slideshow plugin for WordPress, specifically all versions up to and including 2.6.1. This plugin allows embedding Flickr slideshows via the 'fshow' shortcode. The root cause is insufficient sanitization and escaping of user-supplied input parameters within this shortcode, which leads to a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79. An attacker with authenticated contributor-level privileges or higher can inject arbitrary JavaScript code into pages or posts using the vulnerable shortcode. Because the malicious script is stored persistently, it executes every time any user accesses the infected page, potentially allowing session hijacking, privilege escalation, or redirection to malicious sites. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low complexity, and no user interaction, but requiring some privileges (PR:L). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, impacting confidentiality and integrity but not availability. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress sites that embed Flickr slideshows, making this a relevant threat for many web administrators.

The primary impact of CVE-2024-13660 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the Responsive Flickr Slideshow plugin. This can lead to theft of user session cookies, enabling account takeover or privilege escalation. It can also facilitate defacement, phishing, or distribution of malware through injected scripts. Because the vulnerability requires authenticated access, the risk is somewhat limited to sites that allow contributor-level users, but many WordPress sites do permit such roles for content creation. The compromise of user accounts or site integrity can damage organizational reputation, lead to data breaches, and cause operational disruptions. Since the vulnerability affects confidentiality and integrity without impacting availability, the threat is serious but not immediately disruptive to service. Organizations with public-facing WordPress sites using this plugin are at risk, especially those with multiple contributors or less stringent user access controls.

To mitigate CVE-2024-13660, organizations should first check if they use the Responsive Flickr Slideshow plugin and identify the installed version. Immediate steps include: 1) Updating the plugin to a fixed version once released by the vendor; 2) If no patch is available, temporarily disabling or removing the plugin to eliminate the attack surface; 3) Restricting contributor-level user permissions to trusted individuals only and auditing existing contributor accounts; 4) Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode inputs or script injections; 5) Employing Content Security Policy (CSP) headers to limit script execution sources; 6) Regularly scanning WordPress sites for malicious scripts or injected content; 7) Educating site administrators and contributors about the risks of XSS and safe content practices. Additionally, monitoring logs for unusual activity related to shortcode usage can help detect exploitation attempts early.