CVE-2024-13690 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP Church Donation plugin for WordPress, maintained by ashishajani. The vulnerability exists in all versions up to and including 1.7, caused by insufficient input sanitization and lack of proper output escaping on several donation form submission parameters. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently on the server and executed in the context of any user who accesses the affected pages. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score of 7.2 reflects a high severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, and no user interaction needed. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact includes limited confidentiality and integrity loss, as attackers can steal session cookies, perform actions on behalf of users, or manipulate page content. No patches or fixes have been linked yet, and no known exploits are reported in the wild. Given WordPress's widespread use and the plugin's niche for church donation management, the vulnerability presents a significant risk for websites relying on this plugin for donation processing and user interaction.

The impact of CVE-2024-13690 is considerable for organizations using the WP Church Donation plugin. Successful exploitation can lead to session hijacking, enabling attackers to impersonate legitimate users, potentially including administrators. This can result in unauthorized actions such as modifying donation data, defacing the website, or redirecting users to malicious domains. The stored nature of the XSS means the malicious script persists and affects all visitors to the compromised pages, amplifying the attack's reach. Confidentiality is impacted as attackers may steal sensitive user information or authentication tokens. Integrity is compromised through unauthorized content manipulation. Although availability is not directly affected, the reputational damage and potential loss of donor trust can have severe business consequences, especially for religious organizations relying on donations. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of attacks, making it a critical concern for affected sites worldwide.

To mitigate CVE-2024-13690, organizations should first check for any official patches or updates from the plugin developer and apply them immediately once available. In the absence of an official patch, implement strict input validation and sanitization on all donation form parameters, ensuring that any user-supplied data is properly escaped before rendering in HTML contexts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Disable or restrict the plugin temporarily if feasible, especially on high-traffic or sensitive sites. Conduct thorough code reviews of the plugin's input handling and output generation to identify and remediate similar vulnerabilities. Additionally, monitor web server logs and user reports for suspicious activity indicative of exploitation attempts. Educate site administrators on the risks of XSS and encourage the use of security plugins that provide additional XSS protection. Finally, maintain regular backups and incident response plans to quickly recover from any successful attacks.