CVE-2024-13670 is a stored cross-site scripting vulnerability identified in the efreja Music Sheet Viewer plugin for WordPress, affecting all versions up to and including 4.1. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'pn_msv' shortcode. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. Because the malicious script is stored persistently, it executes automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. No patches or public exploits are currently reported, but the risk remains significant due to the ease of exploitation by authenticated users. The vulnerability highlights the importance of strict input validation and output encoding in WordPress plugins to prevent persistent XSS attacks.

The impact of CVE-2024-13670 is primarily on the confidentiality and integrity of affected WordPress sites using the efreja Music Sheet Viewer plugin. Exploitation allows attackers with contributor-level access to inject malicious scripts that execute in the context of any user visiting the compromised page. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Since the vulnerability requires authenticated access, it limits exploitation to insiders or users with some level of trust, but many WordPress sites allow contributors or editors, making this a realistic threat. The scope change means that the vulnerability could affect other parts of the site beyond the plugin, increasing the risk. Organizations relying on this plugin risk reputational damage, data breaches, and loss of user trust if exploited. Although no known exploits are public, the medium severity and ease of exploitation warrant prompt attention.

To mitigate CVE-2024-13670, organizations should first check for and apply any official patches or updates from the efreja plugin vendor once available. In the absence of patches, administrators should consider disabling or uninstalling the Music Sheet Viewer plugin to eliminate the attack surface. Restrict contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewall (WAF) rules that detect and block suspicious script injection patterns in shortcode attributes. Conduct thorough input validation and output encoding on any user-supplied data within WordPress customizations. Monitor site pages that use the 'pn_msv' shortcode for unexpected script content or behavior. Educate content contributors about the risks of injecting untrusted content. Finally, maintain regular backups and incident response plans to quickly recover from any compromise.