CVE-2024-13696 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress, affecting all versions up to and including 1.2.25. The root cause is insufficient input sanitization and output escaping of the 'wishlist_name' parameter. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code into wishlist pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 7.2 (high severity), with an attack vector of network (remote exploitation), low attack complexity, no privileges required, no user interaction needed, and a scope change indicating impact beyond the vulnerable component. While no public exploits are currently known, the vulnerability's characteristics make it a critical concern for WooCommerce sites using this plugin. The plugin is popular among e-commerce sites built on WordPress, which is widely used globally. The vulnerability compromises confidentiality and integrity but does not affect availability. The lack of patches at the time of publication necessitates immediate mitigation steps.

The vulnerability enables attackers to execute arbitrary scripts in the context of affected users, potentially leading to theft of sensitive information such as authentication cookies, personal data, or payment information. It can also facilitate unauthorized actions on behalf of users, including changing wishlist contents or other user-specific data. For e-commerce platforms, this can result in loss of customer trust, reputational damage, and potential financial losses. Since the attack requires no authentication or user interaction, the risk of widespread exploitation is significant once an exploit becomes available. The scope change in the CVSS vector indicates that the impact extends beyond the vulnerable plugin, potentially affecting the entire WordPress site and its users. Organizations relying on this plugin for wishlist functionality face increased risk of data breaches and account compromise, which can have regulatory and compliance implications, especially in regions with strict data protection laws.

1. Immediate mitigation involves updating the Flexible Wishlist for WooCommerce plugin to a version that addresses this vulnerability once released by the vendor. 2. Until a patch is available, implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'wishlist_name' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4. Sanitize and validate all user inputs at the application level, especially parameters that are reflected or stored and rendered in web pages. 5. Monitor web server and application logs for suspicious requests containing script payloads targeting the wishlist functionality. 6. Educate site administrators and users about the risks of XSS and encourage the use of strong, unique passwords and multi-factor authentication to mitigate session hijacking risks. 7. Consider temporarily disabling the wishlist functionality if immediate patching or WAF deployment is not feasible. 8. Conduct regular security assessments and penetration testing focusing on input validation and output encoding across all plugins and custom code.