CVE-2024-13672 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Mini Course Generator WordPress plugin, which enables embedding mini-courses and interactive content. The vulnerability exists in all versions up to and including 1.0.5 due to insufficient sanitization and escaping of user-supplied input passed through the plugin's 'mcg' shortcode attributes. Authenticated users with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, unauthorized actions, or defacement. The vulnerability requires no user interaction beyond viewing the compromised page and can be exploited remotely over the network. The CVSS v3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No public exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin’s functionality. The plugin’s lack of proper input validation and output encoding is the root cause, emphasizing the need for secure coding practices in WordPress plugin development.

The vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages, which execute in the context of any user viewing those pages. This can lead to theft of session cookies, enabling account takeover or privilege escalation. Attackers may also manipulate page content, perform unauthorized actions on behalf of users, or spread malware. Although the impact on availability is minimal, the confidentiality and integrity of user data and site content are at risk. Organizations relying on this plugin for educational or interactive content delivery may face reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The medium CVSS score reflects that exploitation is feasible but requires some level of authenticated access, limiting the attack surface to sites with multiple contributors or editors. However, given WordPress’s widespread use, the aggregate risk is significant, especially for sites with active user collaboration.

Immediate mitigation involves updating the Mini Course Generator plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes can provide temporary protection. Site owners should audit existing content for injected scripts and remove any suspicious code. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Developers should review and improve input validation and output encoding in the plugin’s codebase, ensuring all user-supplied data is properly sanitized before rendering. Regular security assessments and monitoring for unusual user activity can help detect exploitation attempts early.