CVE-2024-13665 is a stored cross-site scripting vulnerability identified in the Admire Extra plugin for WordPress, affecting all versions up to and including 1.6. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'space' shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability is exploitable remotely over the network without user interaction but requires authenticated access, which limits the attack surface to users with some level of trust on the site. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to the impact on other users' confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of official patches or updates at the time of publication necessitates immediate mitigation steps by administrators to prevent exploitation.

The primary impact of CVE-2024-13665 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, potentially stealing cookies, session tokens, or performing actions on behalf of victims. This can lead to account takeover, unauthorized content modification, or distribution of malware. The vulnerability does not directly affect availability but can indirectly cause reputational damage and loss of user trust. Organizations running WordPress sites with the Admire Extra plugin face increased risk of targeted attacks, especially if contributor accounts are compromised or misused. The scope of impact includes all users who visit injected pages, expanding the threat beyond the initial attacker. Given WordPress's widespread use globally, the vulnerability could affect a large number of websites, particularly those with collaborative content creation workflows.

To mitigate CVE-2024-13665, administrators should immediately restrict contributor-level privileges to trusted users only, minimizing the risk of malicious script injection. Until an official patch is released, consider disabling or removing the Admire Extra plugin to eliminate the attack vector. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. Regularly audit user-generated content for injected scripts and monitor logs for unusual activity indicative of exploitation attempts. Encourage users to use strong, unique passwords and enable multi-factor authentication to reduce the risk of account compromise. Additionally, site owners should sanitize and escape all user inputs rigorously in custom code and plugins to prevent similar vulnerabilities. Stay informed about updates from the plugin vendor and apply patches promptly once available.