CVE-2024-13664 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the WP Post List Table plugin for WordPress, specifically all versions up to and including 1.0.3. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes in the plugin's 'wpb_post_list_table' shortcode. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and no user interaction required. The scope is changed (S:C), meaning the vulnerability affects resources beyond the attacker’s privileges. Although no public exploits are currently known, the risk remains significant due to the common use of WordPress and this plugin in content management. The vulnerability requires authenticated access, limiting exposure to users with at least contributor rights, but such roles are common in collaborative WordPress environments. The lack of patches at the time of publication necessitates immediate mitigation steps to prevent exploitation.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, or defacement of website content. While availability is not directly affected, the integrity and confidentiality of user data and site content are at risk. Organizations relying on this plugin may face reputational damage, loss of user trust, and potential compliance issues if sensitive data is compromised. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments with multiple contributors or editors. The scope change means that attackers can affect users with higher privileges than themselves, increasing the severity of the impact. Given WordPress's widespread use globally, many websites could be exposed, especially those that have not restricted contributor roles or do not monitor plugin security closely.

Organizations should immediately audit their WordPress installations to identify the presence of the WP Post List Table plugin and verify the version in use. Since no official patch is available yet, temporary mitigations include restricting contributor-level access to trusted users only and reviewing all content created via the 'wpb_post_list_table' shortcode for suspicious scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this plugin can reduce risk. Site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Additionally, sanitizing and escaping all user inputs and outputs related to this plugin manually or via custom code can help mitigate exploitation. Monitoring logs for unusual activity or script injections and educating contributors about safe content practices are also recommended. Once a patch is released, prompt updating of the plugin is critical. Regular backups and incident response plans should be in place to recover from potential compromises.