CVE-2024-13663 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the 'Coaching Staffs' WordPress plugin developed by markodonnell. This vulnerability affects all versions up to and including 1.4. The root cause is insufficient sanitization and escaping of user-supplied input within the plugin's 'mstw-cs-table' shortcode attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages generated by this shortcode. Because the malicious script is stored persistently, it executes in the context of any user who views the compromised page, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or deface the website. The vulnerability does not require user interaction beyond visiting the infected page and does not require elevated privileges beyond contributor access, which is commonly granted in WordPress environments. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No public exploits or patches have been reported at the time of publication, but the vulnerability is publicly disclosed and should be addressed promptly. The scope is limited to sites using the affected plugin versions, but given WordPress's widespread use, the potential attack surface is significant.

The impact of CVE-2024-13663 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in users' browsers, leading to session hijacking, credential theft, unauthorized actions, and potential website defacement. This can erode user trust, damage brand reputation, and result in data breaches. Since the vulnerability requires contributor-level access, attackers may leverage compromised or malicious contributor accounts to escalate their impact. The vulnerability does not directly affect availability but can indirectly cause denial of service through defacement or administrative disruption. Organizations relying on the Coaching Staffs plugin for team or staff management on their WordPress sites are at risk, especially if they allow multiple contributors or have high traffic. The lack of known exploits currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. The medium severity score suggests a moderate risk that should be addressed promptly to avoid exploitation.

To mitigate CVE-2024-13663, organizations should: 1) Immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious input. 2) Monitor and audit contributor activities for suspicious shortcode usage or unexpected content changes. 3) Apply strict input validation and output escaping in the plugin code if custom modifications are possible, or replace the plugin with a secure alternative. 4) Regularly update the plugin once a patch is released by the vendor to address the vulnerability. 5) Employ Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting the 'mstw-cs-table' shortcode. 6) Educate site administrators and contributors about the risks of injecting untrusted content. 7) Conduct periodic security assessments and scanning for stored XSS vulnerabilities on WordPress sites. These steps go beyond generic advice by focusing on access control, monitoring, and proactive code hygiene specific to this plugin and vulnerability.