CVE-2024-13674 is a stored cross-site scripting vulnerability identified in the Cosmic Blocks (40+) Content Editor Blocks Collection plugin for WordPress, specifically affecting all versions up to and including 1.3.0. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin's 'cwp_social_share' shortcode fails to adequately sanitize and escape user-supplied attributes. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability requires no user interaction beyond viewing the infected page but does require the attacker to have at least contributor-level access, which is a moderate barrier to exploitation. The CVSS v3.1 base score of 6.4 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those that allow contributor-level users to add or edit content. The absence of official patches at the time of reporting necessitates immediate mitigation efforts by administrators.

The primary impact of CVE-2024-13674 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, enabling theft of session cookies, credentials, or other sensitive information. This can lead to account takeover, unauthorized content modification, or further exploitation within the site. Although availability is not directly affected, the reputational damage and trust erosion from such attacks can be significant. Organizations relying on this plugin for content editing are at risk of internal threat actors or compromised contributor accounts exploiting this vulnerability. The scope includes all sites running vulnerable versions of the Cosmic Blocks plugin, which may be widespread given the popularity of WordPress and content editor blocks. The requirement for authentication limits remote anonymous exploitation but does not eliminate risk, especially in environments with many contributors or weak access controls.

To mitigate CVE-2024-13674, organizations should immediately upgrade the Cosmic Blocks (40+) Content Editor Blocks Collection plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'cwp_social_share' shortcode can provide temporary protection. Site owners should also enforce strict input validation and output encoding on user-generated content where possible. Regularly scanning the website for injected scripts and monitoring logs for unusual behavior can help detect exploitation attempts. Additionally, educating contributors about safe content practices and limiting the use of shortcodes that accept user input can reduce attack surface. Finally, maintaining up-to-date backups ensures recovery capability in case of compromise.