CVE-2024-13673 is a stored cross-site scripting (XSS) vulnerability identified in the Big Boom Directory plugin for WordPress, specifically in the 'bbd-search' shortcode functionality. The vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions. The vulnerability affects all versions of the plugin up to and including 2.5.0. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) that affects confidentiality and integrity but not availability. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation by authenticated users make it a significant risk for websites using this plugin. The vulnerability was reserved in January 2025 and published in April 2025, with no official patch links currently available, indicating that remediation may be pending or in progress.

The impact of CVE-2024-13673 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or site defacement. Since the attack requires authenticated access, the threat is limited to environments where users have contributor or higher privileges, but many WordPress sites grant such access to multiple users, increasing risk. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the attacker's privileges, amplifying the potential damage. Although availability is not directly impacted, the loss of trust and potential data breaches can have significant reputational and operational consequences for organizations. This vulnerability is particularly concerning for websites with multiple contributors or public-facing content managed by various users.

To mitigate CVE-2024-13673, organizations should take several specific steps beyond generic advice: 1) Immediately restrict contributor-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit the vulnerability. 2) Monitor and audit existing content for injected scripts or suspicious shortcode usage, removing any malicious code found. 3) Implement web application firewall (WAF) rules that detect and block attempts to inject scripts via the 'bbd-search' shortcode attributes. 4) Encourage or enforce the use of content security policies (CSP) to limit the impact of any injected scripts. 5) Regularly back up website data to enable recovery in case of compromise. 6) Stay informed about updates from the plugin vendor and apply patches promptly once released. 7) Consider temporarily disabling or replacing the Big Boom Directory plugin if immediate patching is not possible. 8) Educate users with contributor-level access about safe content practices and the risks of injecting untrusted code.