CVE-2024-13667 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Uncode WordPress theme, versions up to and including 2.9.1.6. The root cause is insufficient sanitization and escaping of the 'mle-description' parameter during web page generation, which allows an authenticated attacker with at least Subscriber-level privileges to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the affected pages, enabling attacks such as session hijacking, privilege escalation, or redirecting users to malicious sites. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required (low), user interaction required, and a scope change. Although no public exploits are known, the vulnerability poses a risk especially in multi-user WordPress environments where users with Subscriber or higher roles can inject scripts. The lack of patches at the time of publication necessitates immediate attention to mitigate risk. The vulnerability affects all versions of Uncode theme up to 2.9.1.6, widely used in WordPress sites for creative and business purposes.

The impact of CVE-2024-13667 on organizations worldwide can be significant, particularly for those relying on the Uncode WordPress theme for their websites. Successful exploitation allows attackers with minimal privileges to inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts. It may also facilitate defacement, phishing, or distribution of malware, damaging organizational reputation and user trust. Since the vulnerability requires authenticated access at Subscriber level or above, insider threats or compromised low-privilege accounts can be leveraged. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire website's integrity. Organizations with high traffic or sensitive user data are at greater risk. Additionally, the widespread use of WordPress globally means a broad attack surface exists, increasing the likelihood of targeted or opportunistic attacks.

To mitigate CVE-2024-13667, organizations should first check for and apply any official patches or updates released by the Uncode theme developers as soon as they become available. In the absence of patches, immediate steps include restricting Subscriber-level access to trusted users only and auditing existing user roles to minimize unnecessary privileges. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'mle-description' parameter can reduce exploitation risk. Additionally, site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts or anomalous content is recommended. Educating users about the risks of XSS and monitoring logs for unusual activity can help early detection. Finally, consider isolating or disabling features that accept input through the vulnerable parameter until a patch is applied.